Re: [displaytag-user] Sortable column URL showing login user name and password?

Wed, 20 Aug 2008 11:35:08 -0700 

Try adding this to your struts.xml:

  <constant name="struts.url.includeParams" value="none"/>

   (*Chris*)

On Wed, Aug 20, 2008 at 10:41 AM, Ed Webb <[EMAIL PROTECTED]> wrote:

> Wilson G. wrote:
> > Hi everyone,
> >
> > I found out a weird thing today. I logged in to a Struts app and got
> forwarded to the homepage, which contains a sortable displaytag table. The
> URL for the sortable columns of the table contains the user name and
> password I entered!
> >
> > For example, on the login page, I used the login Test/myPassword, and the
> URL for a sortable column is the following:
> >
> >
> http://127.0.0.1:7767/test/homepage.do?d-1111-s=3&d-1111-o=2&passwd=myPassword&submit=login&username=Test
> >
> > Any idea why it does that, and how I can fix this security risk?
> >
> >
> If the <display:table> does not have a requestURI attribute then
> displaytag will use the current URL to request changes to the table.
> Looks like in this case it's picked up your username and password from
> login and put them into the request. I would guess that the login form
> is using GET to send the username and password rather than POST.
> Changing the action attribute of the <form> element to POST should
> remove them from your displaytag URLs. Logging in should be a POST
> action because you are changing the server's state (it now registers you
> as logged in) rather than just requesting some data.
>
> Ed!
>
> -------------------------------------------------------------------------
> This SF.Net email is sponsored by the Moblin Your Move Developer's
> challenge
> Build the coolest Linux based applications with Moblin SDK & win great
> prizes
> Grand prize is a trip for two to an Open Source event anywhere in the world
> http://moblin-contest.org/redirect.php?banner_id=100&url=/
> _______________________________________________
> displaytag-user mailing list
> displaytag-user@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/displaytag-user
>

-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
displaytag-user mailing list
displaytag-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/displaytag-user

Reply via email to