界: Environment
本节包括的所有内容均与源代码无关,但对所创建产品的安全性仍然至关重要。因为本节涉及的问题与源代码没有直接关系,所以我们将它与其他章节分开。
Struts Misconfiguration: Duplicate Form Bean
Abstract
存在多个同名
form-bean 条目。form-bean 名称重复往往表示遗留调试代码或印刷错误。Explanation
form-bean 名称重复无任何意义,因为当在多个 <form-bean> 标签中使用同一名称时,只会注册最后一个条目。示例 1:以下配置包含两个同名
form-bean 条目。
<form-beans>
<form-bean name="loginForm" type="org.apache.struts.validator.DynaValidatorForm">
<form-property name="name" type="java.lang.String" />
<form-property name="password" type="java.lang.String" />
</form-bean>
<form-bean name="loginForm" type="org.apache.struts.validator.DynaActionForm">
<form-property name="favoriteColor" type="java.lang.String" />
</form-bean>
</form-beans>
References
[1] Apache Struts 1.3 Specification
[2] Standards Mapping - Common Weakness Enumeration CWE ID 694
[3] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls
[4] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[5] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration
[6] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[7] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[8] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection
[9] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection
desc.config.java.struts_misconfiguration_duplicate_form_bean