You are mixing two things up. Ofcourse I check for permissions on an action. The problem is that someone else can let antoher user execute actions without knowing it. For example if you would create an image in a comment like: <img src="AddUser.action?username=myadmin&password=test&isadmin=true"> And a user with the right permissions is logged in, the action will get executed, and a new user myadmin is created.
This security hole was in some forum software also. It's easily prevented by using the right request methods.
Joris
Message: 7 Date: Mon, 5 Jan 2004 07:34:29 -0800 (PST) From: Cuong Tran <[EMAIL PROTECTED]> Subject: Re: [OS-webwork] Security concern: HTTP-POST / HTTP-GET seperation To: [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED]
This is not much security since I can still create a post form myself. I would check for authorization from the actions (or before invoking the actions using interceptors/filters)
------------------------------------------------------- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click _______________________________________________ Opensymphony-webwork mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/opensymphony-webwork
