It would be easy enough to create an Interceptor to filter out GET requests too... Just apply to the Actions you want guarded.
> -----Original Message----- > From: Patrick Lightbody [mailto:[EMAIL PROTECTED] > Sent: Wednesday, January 07, 2004 3:17 PM > To: [EMAIL PROTECTED] > Subject: RE: [OS-webwork] Security concern: HTTP-POST / > HTTP-GET seperation > > > This problem seems to me like less of a security problem but > more of an "east of access" problem. What I mean by that is > even if that action were only allowed in POST form, I could > still exploit it. Sure, it would be a little harder since I > couldn't just type in a URL, but anyone can telnet to the web > server and submit a POST manually. > > How is this anything more than trying to limit the ease of > access to a potential application vulnerability (I say > application vulnerability as opposed to framework vulnerability). > > -Pat > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On > Behalf Of Cuong Tran > Sent: Tuesday, January 06, 2004 7:57 PM > To: [EMAIL PROTECTED] > Subject: Re: [OS-webwork] Security concern: HTTP-POST / > HTTP-GET seperation > > > I see your problem now :) > > --- Joris Verschoor <[EMAIL PROTECTED]> wrote: > > You are mixing two things up. Ofcourse I check for permissions on an > > action. > > The problem is that someone else can let antoher user execute > > actions > > without knowing it. > > For example if you would create an image in a comment like: > > <img > > src="AddUser.action?username=myadmin&password=test&isadmin=true"> > > And a user with the right permissions is logged in, the action will > > get > > executed, and a new user myadmin is created. > > > > This security hole was in some forum software also. It's easily > > prevented by using the right request methods. > > > > Joris > > > > > Message: 7 > > > Date: Mon, 5 Jan 2004 07:34:29 -0800 (PST) > > > From: Cuong Tran <[EMAIL PROTECTED]> > > > Subject: Re: [OS-webwork] Security concern: HTTP-POST / HTTP-GET > > seperation > > > To: [EMAIL PROTECTED] > > > Reply-To: [EMAIL PROTECTED] > > > > > > > > > This is not much security since I can still create a post form > > > myself. I would check for authorization from the actions (or > > before > > > invoking the actions using interceptors/filters) > > > > > > > > ------------------------------------------------------- > > This SF.net email is sponsored by: IBM Linux Tutorials. Become an > > expert in LINUX or just sharpen your skills. Sign up for IBM's > > Free Linux Tutorials. Learn everything from the bash shell to sys > > admin. > > Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click > > _______________________________________________ > > Opensymphony-webwork mailing list > > [EMAIL PROTECTED] > > https://lists.sourceforge.net/lists/listinfo/opensymphony-webwork > > > __________________________________ > Do you Yahoo!? > Yahoo! Hotjobs: Enter the "Signing Bonus" Sweepstakes > http://hotjobs.sweepstakes.yahoo.com/signingbonus > > > ------------------------------------------------------- > This SF.net email is sponsored by: IBM Linux Tutorials. > Become an expert in LINUX or just sharpen your skills. Sign up for > IBM's > Free Linux Tutorials. Learn everything from the bash shell to sys > admin. > Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click > _______________________________________________ > Opensymphony-webwork mailing list > [EMAIL PROTECTED] > https://lists.sourceforge.net/lists/listinfo/opensymphony-webwork > > > ------------------------------------------------------- > This SF.net email is sponsored by: Perforce Software. > Perforce is the Fast Software Configuration Management System offering > advanced branching capabilities and atomic changes on 50+ platforms. > Free Eval! http://www.perforce.com/perforce/loadprog.html > _______________________________________________ > Opensymphony-webwork mailing list > [EMAIL PROTECTED] > https://lists.sourceforge.net/lists/listinfo/opensymphony-webwork > ------------------------------------------------------- This SF.net email is sponsored by: Perforce Software. Perforce is the Fast Software Configuration Management System offering advanced branching capabilities and atomic changes on 50+ platforms. Free Eval! http://www.perforce.com/perforce/loadprog.html _______________________________________________ Opensymphony-webwork mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/opensymphony-webwork
