.
-Original Message-
From: Jim Richards [mailto:[EMAIL PROTECTED]]
Sent: 31 May 2001 09:21
To: [EMAIL PROTECTED]
Subject: Re: Potential Security Flaw in Struts MVC
At 11:53 PM 30/05/01 -0700, you wrote:
A good way of removing the bucketloads :-} from your Action classes is to
subclass ActionServlet
please remove me from this list.
In the case at hand, nothing stops your user from logging on (so your
security checks won't catch anything) and then hand typing a URL with
query string parameters that maliciously or accidentally try to change
things in the system. If the user is successful at doing this, it's shame
on
:08 PM
Subject: Re: Potential Security Flaw in Struts MVC
In the case at hand, nothing stops your user from logging on (so your
security checks won't catch anything) and then hand typing a URL with
query string parameters that maliciously or accidentally try to change
things in the system
At 11:53 PM 30/05/01 -0700, you wrote:
A good way of removing the bucketloads :-} from your Action classes is to
subclass ActionServlet and implement processActionPerform to do the logon
check.
It's not just for login though, that was the example I used, every action that
generates a form needs
On Mon, 7 May 2001, Jeff Trent wrote:
Ah, this maybe a problem in the way I've adapted Struts. I reflect all UserForm
method calls directly into the contained User object owned by the UserForm. So for
instance, I have
public class UserForm extends ActionsForm
{
protected User
On Tue, 8 May 2001, Manabendra Sarkar wrote:
but if i use external security mechanism, will it be dynamic? i mean to say,
if the admin wants to change his/her password from the application
(using admin interface), how can he/she do that without restarting the
server?
There is no global
I've sure my ears will be ringing at home that night :^)
- Original Message -
From: Craig R. McClanahan [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Thursday, May 31, 2001 1:01 AM
Subject: Re: Potential Security Flaw in Struts MVC
On Mon, 7 May 2001, Jeff Trent wrote:
Ah
]
Sent: Wednesday, May 09, 2001 9:40 AM
Subject: RE: Potential Security Flaw in Struts MVC
The way I usually handle this sort of problem is to delegate the security
back towards the model layer of code. I will usually have some sort of
User
class and each web session has an associated instance
What a great time to be a Geek
-Original Message-
From: Jonathan [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, May 09, 2001 8:11 AM
To: [EMAIL PROTECTED]
Subject: Re: Potential Security Flaw in Struts
MVCChristian...are you lurking about?
If your User bean
Here's a quick write up. Let me know if you have
problems with it. I tried to use an example that is
as real world as possible and that cannot necessarily
be fixed with some user realm/role solution.
Calvin
--- Ted Husted [EMAIL PROTECTED] wrote:
Feel free. If you would like to document it,
Is it just me or has the list received this message well over 10 times?
Chris
-Original Message-
From: Jeff Trent [mailto:[EMAIL PROTECTED]]
Sent: Monday, May 07, 2001 12:51 PM
To: [EMAIL PROTECTED]
Subject: Re: Potential Security Flaw in Struts MVC
Curt,
I don't dispute what your
To: Struts-User
Subject: RE: Potential Security Flaw in Struts MVC
I usually just lurk on this list, but I think I'll pipe in here.
I think Jeff raises a valid point, and it's one of my particular gripes
about the webapp paradigm (certainly not Struts in general): every action
that is represented
Jeff,
Are you asking if book marking a URL that contains query parameters might be
a security risk?
Anthony
-Original Message-
From: Jeff Trent [mailto:[EMAIL PROTECTED]]
Sent: Monday, May 07, 2001 8:37 AM
To: [EMAIL PROTECTED]
Subject: Potential Security Flaw in Struts MVC
I may be
However, if someone is familiar with the db schema and the
naming convention the developer used, that user could subvert
the application by writing his own version of the UI which
contains an Administrative User Flag field (or any other
field for that matter) and the basic form processing in
: Potential Security Flaw in Struts MVC
Jeff,
Are you asking if book marking a URL that contains query parameters might
be
a security risk?
Anthony
-Original Message-
From: Jeff Trent [mailto:[EMAIL PROTECTED]]
Sent: Monday, May 07, 2001 8:37 AM
To: [EMAIL PROTECTED]
Subject
: Potential Security Flaw in Struts MVC
However, if someone is familiar with the db schema and the
naming convention the developer used, that user could subvert
the application by writing his own version of the UI which
contains an Administrative User Flag field (or any other
field for that matter
Wouldn't this not be a concern because the user would
never be in the session on the target server?
-Original Message-From: Jeff Trent
[mailto:[EMAIL PROTECTED]]Sent: Monday, May 07, 2001 11:37
AMTo: [EMAIL PROTECTED]Subject: Potential
Security Flaw in Struts MVC
I may be
There is a security risk here as you describe, if (and only if) you are using
a generic introspection-based function (like Struts' PropertyUtils.copyBean)
to copy the values from the UserForm object to the User object. There are
several ways to avoid this --
1. Don't put an admin flag "setter"
Title: RE: Potential Security Flaw in Struts MVC
You can easily guard against this by using simple JavaBeans in the presentation layer and having your action class do the persistant storage from you JavaBean view layer.
-Original Message-
From: Jeff Trent [mailto:[EMAIL PROTECTED
PROTECTED]]
Sent: Monday, May 07, 2001 10:11 AM
To: '[EMAIL PROTECTED]'
Subject: RE: Potential Security Flaw in Struts MVC
However, if someone is familiar with the db schema and the
naming convention the developer used, that user could subvert
the application by writing his own version
-level fields above.
- Original Message -
From: Anthony Martin [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Monday, May 07, 2001 11:59 AM
Subject: RE: Potential Security Flaw in Struts MVC
Jeff,
Are you asking if book marking a URL that contains query parameters might
PMTo: '[EMAIL PROTECTED]'Subject: RE:
Potential Security Flaw in Struts MVC
Wouldn't this not be a concern because the user would
never be in the session on the target server?
-Original Message-From: Jeff Trent
[mailto:[EMAIL PROTECTED]]Sent: Monday, May 07, 2001 11:37
actually ever found a good, consise and reasonably complete article on
them.
Will
- Original Message -
From: Jeff Trent [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Monday, May 07, 2001 12:51 PM
Subject: Re: Potential Security Flaw in Struts MVC
Curt,
I don't dispute what your saying
depends. He would have a session if he has
enrolled already...
- Original Message -
From:
Hogan, John
To: '[EMAIL PROTECTED]'
Sent: Monday, May 07, 2001 1:09 PM
Subject: RE: Potential Security Flaw in
Struts MVC
Wouldn't this not be a concern because
Title: RE: Potential Security Flaw in Struts MVC
Beyond the scope of my brain container class (maybe
in a week or so I'll know how to translate what you just said in terms of what I
know) :^
- Original Message -
From:
Jason
Chaffee
To: '[EMAIL PROTECTED]'
Sent
Security Flaw in Struts MVC
Jeff,
Are you asking if book marking a URL that
contains
query parameters might
be
a security risk?
Anthony
-Original Message-
From: Jeff Trent [mailto:[EMAIL PROTECTED]]
Sent: Monday, May 07, 2001 8:37 AM
To: [EMAIL
Christian,
You kick ass!
Apologies to the sensitive but that was a great explanation of a very
obscure but important problem.
Bryan
Christian Cryder wrote:
I usually just lurk on this list, but I think I'll pipe in here.
[EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Monday, May 07, 2001 1:52 PM
Subject: RE: Potential Security Flaw in Struts MVC
I usually just lurk on this list, but I think I'll pipe in here.
I think Curt raises a valid point, and it's one of my particular gripes
about the webapp paradigm
No, I can write a form locaally and have the action run on your server...
- Original Message -
From: Peter Alfors [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Monday, May 07, 2001 1:56 PM
Subject: Re: Potential Security Flaw in Struts MVC
Wouldn't the hacker have to get the new form
://barracuda.enhydra.org
What a great time to be a Geek
-Original Message-
From: Curt Hagenlocher [mailto:[EMAIL PROTECTED]]
Sent: Monday, May 07, 2001 10:11 AM
To: '[EMAIL PROTECTED]'
Subject: RE: Potential Security Flaw
Message-
From: Curt Hagenlocher [mailto:[EMAIL PROTECTED]]
Sent: Monday, May 07, 2001 10:11 AM
To: '[EMAIL PROTECTED]'
Subject: RE: Potential Security Flaw in Struts MVC
However, if someone is familiar with the db
schema and the
naming convention the developer used, that user
PROTECTED]
To: [EMAIL PROTECTED]
Sent: Monday, May 07, 2001 1:52 PM
Subject: RE: Potential Security Flaw in Struts MVC
I usually just lurk on this list, but I think I'll pipe in here.
I think Curt raises a valid point, and it's one of my particular gripes
about the webapp paradigm (certainly
:[EMAIL PROTECTED]]
Sent: Monday, May 07, 2001 2:47 PM
To: [EMAIL PROTECTED]
Subject: Re: Potential Security Flaw in Struts MVC
Beyond the scope of my brain container class (maybe in a week or so I'll
know how to translate what you just said in terms of what I know) :^
- Original Message
PROTECTED]
To: [EMAIL PROTECTED]
Sent: Monday, May 07, 2001 1:56 PM
Subject: Re: Potential Security Flaw in Struts MVC
Wouldn't the hacker have to get the new form class into the classpath of
the
server since all of the code runs server side?
Jeff Trent wrote:
That is not what my
At 12:17 PM 5/7/2001 -0700, you wrote:
Role-Based Action Execution.
Add the ability to require the current user to be in a
particular security role before they can execute a
particular action.
I just wanted to pipe in here because we're integrating Struts into our
stuff (Slowly!) The Expresso
I think I must be missing something... I don't see how a
user/hacker is going to gain access to the system if one
is using security. If you route each request through a
security check (realm) then you should be able to determine
if the current user has access to the requested page/action.
A basic problem with most web development is that
people arebuilding security into their applications. It should be handled
outside of the application. You can have your application work in conjunction
with an external security mechanism for more granular control but I the security
m:
BryanField-Elliot
To:
[EMAIL PROTECTED]
Sent: Monday, May 07, 2001 1:14 PM
Subject: Re: Potential Security Flaw in Struts MVC
There is a security risk here as you describe, if (and only if)you are
using a generic introspection-based function (lik
Message -
From: Peter Alfors [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Monday, May 07, 2001 4:14 PM
Subject: Re: Potential Security Flaw in Struts MVC
Sure. You could create a jsp page that had the fields you would like, and
even
call off a remote action from your own page.
However, if I
We are doing something very similar. We are using the jaas security to map
each action to a permission.
This way, each user is mapped to the actions that he/she is allowed to
perform.
Each request is routed through a security check to verify that the currently
logged in user has permissions to
To: [EMAIL PROTECTED]
Sent: Monday, May 07, 2001 4:38 PM
Subject: Re: Potential Security Flaw in
Struts MVC
Either you are misunderstanding Struts, or I am
misunderstanding you.Struts will populate your UserForm for you, prior
to your UserAction being called. However, it is your
[mailto:[EMAIL PROTECTED]]Sent: Monday, May 07, 2001 5:27
AMTo: [EMAIL PROTECTED]Subject: Re:
Potential Security Flaw in Struts MVC
A basic problem with most web development is that
people arebuilding security into their applications. It should be
handled outside of the application
it is something that could be
overlooked. :)
- jeff
- Original Message -
From: Peter Alfors [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Monday, May 07, 2001 4:14 PM
Subject: Re: Potential Security Flaw in Struts MVC
Sure. You could create a jsp page that had the fields you would like
I think I must be missing something... I don't see how a user/hacker is
going
to gain access to the system if one is using security.
hackers arent always from the outside, you also have to protect yourself
from legitimate users, who could try to force the system. Not every secure
user is
a little more than what
I have.
- jeff
- Original Message -
From:
BryanField-Elliot
To:
[EMAIL PROTECTED]
Sent: Monday, May 07, 2001 4:38 PM
Subject: Re: Potential Security Flaw in Struts MVC
Either you are misunderstanding Struts,
ittle more
than what I have.
- jeff
- Original Message -
From:
Bryan
Field-Elliot
To: [EMAIL PROTECTED]
Sent: Monday, May 07, 2001 4:38
PM
Subject: Re: Potential Security Flaw in
Struts MVC
Either you are misunderstanding Strut
-Original Message-
From: George, Carl [mailto:[EMAIL PROTECTED]]
Sent: Monday, May 07, 2001 1:01 PM
To: '[EMAIL PROTECTED]'
Subject: RE: Potential Security Flaw in Struts MVC
I think you are trying to make things too hard, you could handle this
relatively simple in two different ways:
1
Feel free. If you would like to document it, I'd be happy to find a
place for it in the users guide.
Calvin Yu wrote:
I think that this potential exploit should probably be
thoroughly documented, along with potential
workarounds. Last thing we want is to have Struts
being tagged as being
This is open source. Anyone is welcome to jump in and join the
management by submitting code.
Jeff Trent wrote:
Therefore, if I haven't reached my quota today, I'd like to suggest to
management that there is a bean property (or something) that results in form
fields being propogated accross
Feel free to submit some code.
Jeff Trent wrote:
I like it! I second this request totally!
Ted,
I wish I had time. Now that I have three kids I can't spend any spare
cycle(s) on anything but changing diapers!
- Original Message -
From: Ted Husted [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Monday, May 07, 2001 7:46 PM
Subject: Re: Potential Security Flaw in Struts MVC
]]
Sent: Monday, May 07, 2001 5:57 PM
To: [EMAIL PROTECTED]
Subject: Re: Potential Security Flaw in Struts MVC
A basic problem with most web development is that people are building
security into their applications. It should be handled outside of the
application. You can have your
:[EMAIL PROTECTED]]
Sent: Monday, May 07, 2001 5:57 PM
To: [EMAIL PROTECTED]
Subject: Re: Potential Security Flaw in Struts MVC
A basic problem with most web development is that people are building
security into their applications. It should be handled outside of the
application. You
54 matches
Mail list logo