This problem seems to me like less of a security problem but more of an "east of access" problem. What I mean by that is even if that action were only allowed in POST form, I could still exploit it. Sure, it would be a little harder since I couldn't just type in a URL, but anyone can telnet to the web server and submit a POST manually.
How is this anything more than trying to limit the ease of access to a potential application vulnerability (I say application vulnerability as opposed to framework vulnerability). -Pat -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Cuong Tran Sent: Tuesday, January 06, 2004 7:57 PM To: [EMAIL PROTECTED] Subject: Re: [OS-webwork] Security concern: HTTP-POST / HTTP-GET seperation I see your problem now :) --- Joris Verschoor <[EMAIL PROTECTED]> wrote: > You are mixing two things up. Ofcourse I check for permissions on > an > action. > The problem is that someone else can let antoher user execute > actions > without knowing it. > For example if you would create an image in a comment like: > <img > src="AddUser.action?username=myadmin&password=test&isadmin=true"> > And a user with the right permissions is logged in, the action will > get > executed, and a new user myadmin is created. > > This security hole was in some forum software also. It's easily > prevented by using the right request methods. > > Joris > > > Message: 7 > > Date: Mon, 5 Jan 2004 07:34:29 -0800 (PST) > > From: Cuong Tran <[EMAIL PROTECTED]> > > Subject: Re: [OS-webwork] Security concern: HTTP-POST / HTTP-GET > seperation > > To: [EMAIL PROTECTED] > > Reply-To: [EMAIL PROTECTED] > > > > > > This is not much security since I can still create a post form > > myself. I would check for authorization from the actions (or > before > > invoking the actions using interceptors/filters) > > > > ------------------------------------------------------- > This SF.net email is sponsored by: IBM Linux Tutorials. > Become an expert in LINUX or just sharpen your skills. Sign up for > IBM's > Free Linux Tutorials. Learn everything from the bash shell to sys > admin. > Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click > _______________________________________________ > Opensymphony-webwork mailing list > [EMAIL PROTECTED] > https://lists.sourceforge.net/lists/listinfo/opensymphony-webwork __________________________________ Do you Yahoo!? Yahoo! Hotjobs: Enter the "Signing Bonus" Sweepstakes http://hotjobs.sweepstakes.yahoo.com/signingbonus ------------------------------------------------------- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click _______________________________________________ Opensymphony-webwork mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/opensymphony-webwork ------------------------------------------------------- This SF.net email is sponsored by: Perforce Software. Perforce is the Fast Software Configuration Management System offering advanced branching capabilities and atomic changes on 50+ platforms. Free Eval! http://www.perforce.com/perforce/loadprog.html _______________________________________________ Opensymphony-webwork mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/opensymphony-webwork
