struts-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Lee Clemens (JIRA)" <j...@apache.org>
Subject [jira] Created: (WW-2949) Passing paremeter value from Action to Action requires a security vulnerability
Date Thu, 08 Jan 2009 07:48:46 GMT
Passing paremeter value from Action to Action requires a security vulnerability
-------------------------------------------------------------------------------

                 Key: WW-2949
                 URL: https://issues.apache.org/struts/browse/WW-2949
             Project: Struts 2
          Issue Type: Bug
          Components: Core Actions
    Affects Versions: 2.1.6
         Environment: All
            Reporter: Lee Clemens


To pass parameter value from Action->form->Action, need to use URL parameter or <s:hidden>

URL can be manipulated manually and hidden form field can be altered via Firefox plugin, etc

This presents a security issue, since the form's hidden attribute can be manipulated via a
Firefox plugin, etc and the URL can be altered directly

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


Mime
View raw message