Re: Potential Security Flaw in Struts MVC

[Jeff Trent]

Curt,

I don't dispute what your saying.  However, to the casual struts user this
fact may be easily overlooked and exploited by a hacker.

- jeff

----- Original Message -----
From: "Curt Hagenlocher" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Monday, May 07, 2001 12:10 PM
Subject: RE: Potential Security Flaw in Struts MVC


> > However, if someone is familiar with the db schema and the
> > naming convention the developer used, that user could subvert
> > the application by writing his own version of the UI which
> > contains an "Administrative User Flag" field (or any other
> > field for that matter) and the basic form processing in
> > Struts will kindly honor the request and set the
> > "Administrative Flag" on the user.  Unless, of course, the
> > developer makes special provisions to prevent this behavior.
>
> Creating a secure web application means that *every* HTTP
> request should be checked for validity.  Any data that comes
> from the client is suspect.  This is no more or less true
> with Struts than without it.
>
> --
> Curt Hagenlocher
> [EMAIL PROTECTED]
>