struts-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Philip Luppens (JIRA)" <j...@apache.org>
Subject [jira] Resolved: (WW-2949) Passing paremeter value from Action to Action requires a security vulnerability
Date Thu, 08 Jan 2009 08:00:46 GMT

     [ https://issues.apache.org/struts/browse/WW-2949?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Philip Luppens resolved WW-2949.
--------------------------------

    Resolution: Not A Problem

I'm not sure I'm getting your point: of course anything that you submit can be altered. If
you don't want that, use the session or store it somewhere where it cannot be tampered with
(database, filesystem, ..). Of course you have to check everything serverside what your users
submit, but that's Webdevelopment 101.

If I misunderstood, feel free to reopen, but for now I'm marking this as 'Not a problem'.

> Passing paremeter value from Action to Action requires a security vulnerability
> -------------------------------------------------------------------------------
>
>                 Key: WW-2949
>                 URL: https://issues.apache.org/struts/browse/WW-2949
>             Project: Struts 2
>          Issue Type: Bug
>          Components: Core Actions
>    Affects Versions: 2.1.6
>         Environment: All
>            Reporter: Lee Clemens
>
> To pass parameter value from Action->form->Action, need to use URL parameter or
<s:hidden>
> URL can be manipulated manually and hidden form field can be altered via Firefox plugin,
etc
> This presents a security issue, since the form's hidden attribute can be manipulated
via a Firefox plugin, etc and the URL can be altered directly

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


Mime
View raw message