Big Security Hole Found in Struts 2 and Possibly WebWork

In the programming world two of the most widely understood types of problems are cross site scripting (sometimes called XSS), and user command injection (e.g. SQL injection), so you can imagine my surprise when I found the Struts 2 framework which has only been considered suitable for production use suffers both.

This serves as a good example of why any development team should have at least one person who has a background in application security and is tasked with checking for the common types of security problems which come from fundamental design mistakes.

As for the Struts2 problem, well, the example shows how it can be used to shut down the application server in which the web application is running, and, frankly, it doesn’t get much worse than users being able to shutdown the website, so hopefully this will serve as a lesson for all.

read more | digg story