I see your problem now :) --- Joris Verschoor <[EMAIL PROTECTED]> wrote: > You are mixing two things up. Ofcourse I check for permissions on > an > action. > The problem is that someone else can let antoher user execute > actions > without knowing it. > For example if you would create an image in a comment like: > <img > src="AddUser.action?username=myadmin&password=test&isadmin=true"> > And a user with the right permissions is logged in, the action will > get > executed, and a new user myadmin is created. > > This security hole was in some forum software also. It's easily > prevented by using the right request methods. > > Joris > > > Message: 7 > > Date: Mon, 5 Jan 2004 07:34:29 -0800 (PST) > > From: Cuong Tran <[EMAIL PROTECTED]> > > Subject: Re: [OS-webwork] Security concern: HTTP-POST / HTTP-GET > seperation > > To: [EMAIL PROTECTED] > > Reply-To: [EMAIL PROTECTED] > > > > > > This is not much security since I can still create a post form > > myself. I would check for authorization from the actions (or > before > > invoking the actions using interceptors/filters) > > > > ------------------------------------------------------- > This SF.net email is sponsored by: IBM Linux Tutorials. > Become an expert in LINUX or just sharpen your skills. Sign up for > IBM's > Free Linux Tutorials. Learn everything from the bash shell to sys > admin. > Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click > _______________________________________________ > Opensymphony-webwork mailing list > [EMAIL PROTECTED] > https://lists.sourceforge.net/lists/listinfo/opensymphony-webwork
__________________________________ Do you Yahoo!? Yahoo! Hotjobs: Enter the "Signing Bonus" Sweepstakes http://hotjobs.sweepstakes.yahoo.com/signingbonus ------------------------------------------------------- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click _______________________________________________ Opensymphony-webwork mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/opensymphony-webwork
