One of the most interesting security holes that MANY applications have are the use of wild cards in dynamic sql queries....
login: admin password: '+%+' or those likes... try it sometime -------- Jacob Hookom Senior Programmer/Analyst McKesson Medical Surgical Golden Valley, MN -----Original Message----- From: Jing Zhou [mailto:[EMAIL PROTECTED] Sent: Friday, June 20, 2003 2:29 PM To: Struts Users Mailing List Subject: [FRIDAY] Got A Security Hole? It's Friday. Let us talk about some light issues like security problems ... The Struts framework has a transaction token mechanism. It seems to be able to protect developers. But in some cases, it does not if session scoped form beans are used. See the detail description of the potential security issues at http://www.netspread.com/tips2.html#security More interesting, some very very experienced developers would think they are absolutely safe if they use request scoped form beans. It may not be the case as they think. Some mistakes are possible, in open source projects, in samples of published books, if the authors are not aware of them. Jing Netspread Carrier at http://www.netspread.com "Making Simple Things Crazily Simpler." --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
