Is it just me or has the list received this message well over 10 times?
Chris
-----Original Message-----
From: Jeff Trent [mailto:[EMAIL PROTECTED]]
Sent: Monday, May 07, 2001 12:51 PM
To: [EMAIL PROTECTED]
Subject: Re: Potential Security Flaw in Struts MVC
Curt,
I don't dispute what your saying. However, to the casual struts user this
fact may be easily overlooked and exploited by a hacker.
- jeff
----- Original Message -----
From: "Curt Hagenlocher" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Monday, May 07, 2001 12:10 PM
Subject: RE: Potential Security Flaw in Struts MVC
> > However, if someone is familiar with the db schema and the
> > naming convention the developer used, that user could subvert
> > the application by writing his own version of the UI which
> > contains an "Administrative User Flag" field (or any other
> > field for that matter) and the basic form processing in
> > Struts will kindly honor the request and set the
> > "Administrative Flag" on the user. Unless, of course, the
> > developer makes special provisions to prevent this behavior.
>
> Creating a secure web application means that *every* HTTP
> request should be checked for validity. Any data that comes
> from the client is suspect. This is no more or less true
> with Struts than without it.
>
> --
> Curt Hagenlocher
> [EMAIL PROTECTED]
>
