[
https://issues.apache.org/struts/browse/WW-2949?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=45454#action_45454
]
Rene Gielen commented on WW-2949:
---------------------------------
You may want to have a look at scope plugin [1], which provides a S2 way to
ease targeted state transfer between actions (via session, of course). But this
issue is really a non-issue :)
[1] http://cwiki.apache.org/S2PLUGINS/scope-plugin.html
> Passing paremeter value from Action to Action requires a security
> vulnerability
> -------------------------------------------------------------------------------
>
> Key: WW-2949
> URL: https://issues.apache.org/struts/browse/WW-2949
> Project: Struts 2
> Issue Type: Improvement
> Components: Core Actions
> Affects Versions: 2.1.6
> Environment: All
> Reporter: Lee Clemens
> Priority: Minor
>
> To pass parameter value from Action->form->Action, need to use URL parameter
> or <s:hidden>
> URL can be manipulated manually and hidden form field can be altered via
> Firefox plugin, etc
> This presents a security issue, since the form's hidden attribute can be
> manipulated via a Firefox plugin, etc and the URL can be altered directly
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
