struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Lukasz Lenart <lukaszlen...@apache.org>
Subject Re: Risk by allowing application* params
Date Fri, 08 Aug 2014 19:30:25 GMT
2014-08-07 11:43 GMT+02:00 Fabian Richter <frichter@mtg.de>:
> Hey,
>
> we are wondering why struts params interceptor excludes
>
> ^application\..*
>
> as a parameter?
>
> To what kind of vulernatbilities would we open our applications if we allow
> parameters starting with application to be set by struts?

It's the same as session param - but you have access to the whole ServletContext


Regards
-- 
Ɓukasz
+ 48 606 323 122 http://www.lenart.org.pl/

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org


Mime
View raw message