Rick Reumann wrote:
Paul Benedict wrote:
The problem isn't that Struts allows the user to cancel an action, but
that EVERY action can be
cancelled.
I must still be missing something.. what is the big deal here? If you
don't code to handle the cancel nothing serious can happen, and if you
do code for a cancel, what's the worst case scenario? - Since you are
doing a "cancel" you would just typically be forwarded or redirected
back to some input page or some other harmless page.
I think I can answer this... Actually, I think I outlined a scenario in
a previous message, but it's worth repeating to get the point across...
or if I happen to be wrong we can figure that out too :)
Imagine you have a page where a user can select a table in a database
from a choice of three that they want to save some entries to. Ignore
for the moment that this would, even as an admin application, probably
be viewed as a bad design in most cases. Forget that for now :)
If you were coding with *any* kind of security in mind, you would
validate that the selected table is one of the three acceptable ones.
You may well do this on the server via the typical validate() method of
the form.
Now, imagine a hacker wants to get to a completely different table in
the database (I suppose reading from a selected table would be a better
example, but I digress). To do so, they can pass in the canceled
parameter and whatever table name they want, assuming they can mangle
the URL properly and establish a session first. Since Struts will
populate the form and fire the Action *without* calling validate() in
this case, the hacker has the "in" they want.
Like I said, I'm describing a scenario that would probably not happen
too often, and certainly not by anyone with half a brain :) But that's
the basic mechanism in a nutshell... now imagine how many innocent and
less obvious ways to screw up that would be exploitable there may be :)
(As a side note, I never use the cancel button anyway. I always use
asubmit or regular button with some javascript setting a 'canceled'
dispatch param for my cancel buttons. I had a reason at some point why I
liked doing that, although, I forgot now what the exact reason was:)
I frankly don't recall *ever* using the canceled functionality either,
but I wouldn't assume I'm typical... I rarely am :)
--
Frank W. Zammetti
Founder and Chief Software Architect
Omnytex Technologies
http://www.omnytex.com
AIM: fzammetti
Yahoo: fzammetti
MSN: [EMAIL PROTECTED]
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
