[
https://issues.apache.org/struts/browse/WW-2949?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Philip Luppens resolved WW-2949.
--------------------------------
Resolution: Not A Problem
I'm not sure I'm getting your point: of course anything that you submit can be
altered. If you don't want that, use the session or store it somewhere where it
cannot be tampered with (database, filesystem, ..). Of course you have to check
everything serverside what your users submit, but that's Webdevelopment 101.
If I misunderstood, feel free to reopen, but for now I'm marking this as 'Not a
problem'.
> Passing paremeter value from Action to Action requires a security
> vulnerability
> -------------------------------------------------------------------------------
>
> Key: WW-2949
> URL: https://issues.apache.org/struts/browse/WW-2949
> Project: Struts 2
> Issue Type: Bug
> Components: Core Actions
> Affects Versions: 2.1.6
> Environment: All
> Reporter: Lee Clemens
>
> To pass parameter value from Action->form->Action, need to use URL parameter
> or <s:hidden>
> URL can be manipulated manually and hidden form field can be altered via
> Firefox plugin, etc
> This presents a security issue, since the form's hidden attribute can be
> manipulated via a Firefox plugin, etc and the URL can be altered directly
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
