no! haha!
to remove yourself from the list, send an email
to
[EMAIL PROTECTED]
oh man, too much coffee...
-Original Message-From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]Sent: Friday, June 01, 2001 4:20
PMTo: [EMAIL PROTECTED]Subject: Re: Potential
Security Flaw in Struts
please remove me from this list.
Jon.
-Original Message-
From: Jim Richards [mailto:[EMAIL PROTECTED]]
Sent: 31 May 2001 09:21
To: [EMAIL PROTECTED]
Subject: Re: Potential Security Flaw in Struts MVC
At 11:53 PM 30/05/01 -0700, you wrote:
>A good way of removing the bucketloads :-} from your Action classes is to
>subclass Ac
At 11:53 PM 30/05/01 -0700, you wrote:
>A good way of removing the bucketloads :-} from your Action classes is to
>subclass ActionServlet and implement processActionPerform to do the logon
>check.
It's not just for login though, that was the example I used, every action that
generates a form need
ent: Wednesday, May 30, 2001 11:08 PM
Subject: Re: Potential Security Flaw in Struts MVC
>
> >> In the case at hand, nothing stops your user from logging on (so your
> >> security checks won't catch anything) and then hand typing a URL with
> >> query string
>> In the case at hand, nothing stops your user from logging on (so your
>> security checks won't catch anything) and then hand typing a URL with
>> query string parameters that maliciously or accidentally try to change
>> things in the system. If the user is successful at doing this, it's shame
I've sure my ears will be ringing at home that night :^)
- Original Message -
From: "Craig R. McClanahan" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Thursday, May 31, 2001 1:01 AM
Subject: Re: Potential Security Flaw in Struts MVC
>
>
>
On Tue, 8 May 2001, Manabendra Sarkar wrote:
> but if i use external security mechanism, will it be dynamic? i mean to say,
> if the admin wants to change his/her password from the application
> (using admin interface), how can he/she do that without restarting the
> server?
>
There is no gl
On Mon, 7 May 2001, Jeff Trent wrote:
> Ah, this maybe a problem in the way I've adapted Struts. I reflect all UserForm
>method calls directly into the contained User object owned by the UserForm. So for
>instance, I have
>
> public class UserForm extends ActionsForm
> {
> protected Us
[EMAIL PROTECTED]
Barracuda - Open-source MVC Component Framework for Webapps
http://barracuda.enhydra.org
"What a great time to be a Geek"
> -Original Message-
> From: Jonathan [mailto:[EMAIL PROTECTED]]
> Sent: Wednesday, May 09, 2
PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Wednesday, May 09, 2001 9:40 AM
Subject: RE: Potential Security Flaw in Struts MVC
>
>
> The way I usually handle this sort of problem is to delegate the security
> back towards the model layer of code. I will usually have some sort
ns on
methods.
Sean
-Original Message-
From: Christian Cryder [mailto:[EMAIL PROTECTED]]
Sent: Monday, May 07, 2001 11:15 AM
To: Struts-User
Subject: RE: Potential Security Flaw in Struts MVC
I usually just lurk on this list, but I think I'll pipe in here.
I think Jeff raises a valid
: Struts-User
Subject: RE: Potential Security Flaw in Struts MVC
I usually just lurk on this list, but I think I'll pipe in here.
I think Jeff raises a valid point, and it's one of my particular gripes
about the webapp paradigm (certainly not Struts in general): every "action"
Is it just me or has the list received this message well over 10 times?
Chris
-Original Message-
From: Jeff Trent [mailto:[EMAIL PROTECTED]]
Sent: Monday, May 07, 2001 12:51 PM
To: [EMAIL PROTECTED]
Subject: Re: Potential Security Flaw in Struts MVC
Curt,
I don't dispute what
Here's a quick write up. Let me know if you have
problems with it. I tried to use an example that is
as real world as possible and that cannot necessarily
be fixed with some user realm/role solution.
Calvin
--- Ted Husted <[EMAIL PROTECTED]> wrote:
> Feel free. If you would like to document i
fy'" <[EMAIL PROTECTED]>
Sent: Tuesday, May 08, 2001 8:08 AM
Subject: RE: Potential Security Flaw in Struts MVC
> but if i use external security mechanism, will it be dynamic? i mean to
say,
> if the admin wants to change his/her password from the application
> (using admi
TECTED]]
> Sent: Monday, May 07, 2001 5:57 PM
> To: [EMAIL PROTECTED]
> Subject: Re: Potential Security Flaw in Struts MVC
>
> A basic problem with most web development is that people are building
> security into their applications. It should be handled outside of the
>
Ted,
I wish I had time. Now that I have three kids I can't spend any spare
cycle(s) on anything but changing diapers!
- Original Message -
From: "Ted Husted" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Monday, May 07, 2001 7:46 PM
Subject: Re: Potent
Feel free to submit some code.
Jeff Trent wrote:
> I like it! I second this request totally!
This is open source. Anyone is welcome to jump in and join the
"management" by submitting code.
Jeff Trent wrote:
> Therefore, if I haven't reached my quota today, I'd like to suggest to
> management that there is a bean property (or something) that results in form
> fields being propogated accro
Feel free. If you would like to document it, I'd be happy to find a
place for it in the users guide.
Calvin Yu wrote:
>
> I think that this potential exploit should probably be
> thoroughly documented, along with potential
> workarounds. Last thing we want is to have Struts
> being tagged as be
Anthony
-Original Message-
From: George, Carl [mailto:[EMAIL PROTECTED]]
Sent: Monday, May 07, 2001 1:01 PM
To: '[EMAIL PROTECTED]'
Subject: RE: Potential Security Flaw in Struts MVC
I think you are trying to make things too hard, you could handle this
relatively simple in tw
AIL PROTECTED]Subject: Re:
Potential Security Flaw in Struts MVC
Ah, this maybe a problem in the way I've adapted
Struts. I reflect all UserForm method calls directly into the contained
User object owned by the UserForm. So for instance, I have
public class UserForm extends
Action
ee my original concern?
Maybe I need to separate the model from the form a little more than what
I have.
- jeff
- Original Message -
From:
BryanField-Elliot
To:
[EMAIL PROTECTED]
Sent: Monday, May 07, 2001 4:38 PM
Subject: Re: Potential Security
>I think I must be missing something... I don't see how a user/hacker >is
>going
>to gain access to the system if one is using security.
hackers arent always from the outside, you also have to protect yourself
from legitimate users, who could try to force the system. Not every secure
user is
from user screens (yet).
Im glad you brought the issue up, because it is something that could be
overlooked. :)
>
> - jeff
>
> - Original Message -
> From: "Peter Alfors" <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> Sent: Monday, May 07, 2001 4:14
rtin Duffy
[mailto:[EMAIL PROTECTED]]Sent: Monday, May 07, 2001 5:27
AMTo: [EMAIL PROTECTED]Subject: Re:
Potential Security Flaw in Struts MVC
A basic problem with most web development is that
people are building security into their applications. It should be
handled outside of the a
jeff
- Original Message -
From:
Bryan
Field-Elliot
To: [EMAIL PROTECTED]
Sent: Monday, May 07, 2001 4:38 PM
Subject: Re: Potential Security Flaw in
Struts MVC
Either you are misunderstanding Struts, or I am
misunderstanding you.Struts will populate your UserForm for you, prior
We are doing something very similar. We are using the jaas security to map
each action to a permission.
This way, each user is mapped to the actions that he/she is allowed to
perform.
Each request is routed through a security check to verify that the currently
logged in user has permissions to th
- Original Message -
From: "Peter Alfors" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Monday, May 07, 2001 4:14 PM
Subject: Re: Potential Security Flaw in Struts MVC
> Sure. You could create a jsp page that had the fields you would like, and
even
> call off a
From:
BryanField-Elliot
To:
[EMAIL PROTECTED]
Sent: Monday, May 07, 2001 1:14 PM
Subject: Re: Potential Security Flaw in Struts MVC
There is a security risk here as you describe, if (and only if)you are
using a generic introspection-based function
.
- Original Message -
From:
Jeff
Trent
To: [EMAIL PROTECTED]
Sent: Monday, May 07, 2001 6:37 PM
Subject: Potential Security Flaw in
Struts MVC
I may be wrong about this (only been working w/
Struts for a week now). But I do see a potential security flaw in struts
that
> I think I must be missing something... I don't see how a
> user/hacker is going to gain access to the system if one
> is using security. If you route each request through a
> security check (realm) then you should be able to determine
> if the current user has access to the requested page/act
At 12:17 PM 5/7/2001 -0700, you wrote:
>Role-Based Action Execution.
>Add the ability to require the current user to be in a
>particular security role before they can execute a
>particular action.
I just wanted to pipe in here because we're integrating Struts into our
stuff (Slowly!) The Express
r Alfors" <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> Sent: Monday, May 07, 2001 1:56 PM
> Subject: Re: Potential Security Flaw in Struts MVC
>
> > Wouldn't the hacker have to get the new form class into the classpath of
> the
> > server since
:[EMAIL PROTECTED]]
Sent: Monday, May 07, 2001 2:47 PM
To: [EMAIL PROTECTED]
Subject: Re: Potential Security Flaw in Struts MVC
Beyond the scope of my brain container class (maybe in a week or so I'll
know how to translate what you just said in terms of what I know) :^>
- Original
m: "Christian Cryder" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Monday, May 07, 2001 1:52 PM
Subject: RE: Potential Security Flaw in Struts MVC
> I usually just lurk on this list, but I think I'll pipe in here.
>
> I think Curt raises a valid point,
ions or events as real
> objects, not just Strings.
>
> Anyway, I'd be curious to hear thoughts and
> feedback, and to know how others
> have approached this particular type of problem...
>
> Christian
>
> Christian
stian
>
> Christian Cryder
> [EMAIL PROTECTED]
> Barracuda - Open-source MVC Component Framework for Webapps
> http://barracuda.enhydra.org
>
> "What a great time to be a Geek
No, I can write a form locaally and have the action run on your server...
- Original Message -
From: "Peter Alfors" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Monday, May 07, 2001 1:56 PM
Subject: Re: Potential Security Flaw in Struts MVC
> Wouldn
ryder" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Monday, May 07, 2001 1:52 PM
Subject: RE: Potential Security Flaw in Struts MVC
> I usually just lurk on this list, but I think I'll pipe in here.
>
> I think Curt raises a valid point, and it's one o
Christian,
You kick ass!
Apologies to the sensitive but that was a great explanation of a very
obscure but important problem.
Bryan
Christian Cryder wrote:
>I usually just lurk on this list, but I think I'll pipe in here.
>
>
ECTED]
Sent: Monday, May 07, 2001 1:14 PM
Subject: Re: Potential Security Flaw in
Struts MVC
There is a security risk here as you describe, if (and only if)
you are using a generic introspection-based function (like Struts'
PropertyUtils.copyBean) to copy the values from the UserF
ing concention, they can
> > write their own form to
> > override the administrative-level fields above.
> >
> >
> > - Original Message -
> > From: "Anthony Martin" <[EMAIL PROTECTED]>
> > To: <[EMAIL PROTECTED]>
Title: RE: Potential Security Flaw in Struts MVC
Beyond the scope of my brain container class (maybe
in a week or so I'll know how to translate what you just said in terms of what I
know) :^>
- Original Message -
From:
Jason
Chaffee
To: '[EMAIL PROTECTED
depends. He would have a session if he has
enrolled already...
- Original Message -
From:
Hogan, John
To: '[EMAIL PROTECTED]'
Sent: Monday, May 07, 2001 1:09 PM
Subject: RE: Potential Security Flaw in
Struts MVC
Wouldn't this not be a conc
ions. I haven't
actually ever found a good, consise and reasonably complete article on
them.
Will
- Original Message -
From: "Jeff Trent" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Monday, May 07, 2001 12:51 PM
Subject: Re: Potential Security Flaw in Str
PMTo: '[EMAIL PROTECTED]'Subject: RE:
Potential Security Flaw in Struts MVC
Wouldn't this not be a concern because the user would
never be in the session on the target server?
-Original Message-From: Jeff Trent
[mailto:[EMAIL PROTECTED]]Sent: Monday, May
-
"What a great time to be a Geek"
> -Original Message-
> From: Curt Hagenlocher [mailto:[EMAIL PROTECTED]]
> Sent: Monday, May 07, 2001 10:11 AM
> To: '[EMAIL PROTECTED]'
> Subject: RE: Potential Security Flaw in Struts
concention, they can write their own form to
> override the administrative-level fields above.
>
> - Original Message -
> From: "Anthony Martin" <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> Sent: Monday, May 07, 2001 11:59 AM
> Subject: RE: Poten
-
"What a great time to be a Geek"
> -Original Message-
> From: Curt Hagenlocher [mailto:[EMAIL PROTECTED]]
> Sent: Monday, May 07, 2001 10:11 AM
> To: '[EMAIL PROTECTED]'
> Subject: RE: Potential Security Flaw in Struts
>
> - Original Message -
> From: "Anthony Martin" <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> Sent: Monday, May 07, 2001 11:59 AM
> Subject: RE: Potential Security Flaw in Struts MVC
>
>
> > Jeff,
> >
> > Are you asking if b
Title: RE: Potential Security Flaw in Struts MVC
You can easily guard against this by using simple JavaBeans in the presentation layer and having your action class do the persistant storage from you JavaBean view layer.
-Original Message-
From: Jeff Trent [mailto:[EMAIL PROTECTED
There is a security risk here as you describe, if (and only if) you are using
a generic introspection-based function (like Struts' PropertyUtils.copyBean)
to copy the values from the UserForm object to the User object. There are
several ways to avoid this --
1. Don't put an admin flag "setter"
Wouldn't this not be a concern because the user would
never be in the session on the target server?
-Original Message-From: Jeff Trent
[mailto:[EMAIL PROTECTED]]Sent: Monday, May 07, 2001 11:37
AMTo: [EMAIL PROTECTED]Subject: Potential
Security Flaw in Struts MVC
I m
, 2001 12:10 PM
Subject: RE: Potential Security Flaw in Struts MVC
> > However, if someone is familiar with the db schema and the
> > naming convention the developer used, that user could subvert
> > the application by writing his own version of the UI which
> > contain
t;
Sent: Monday, May 07, 2001 11:59 AM
Subject: RE: Potential Security Flaw in Struts MVC
> Jeff,
>
> Are you asking if book marking a URL that contains query parameters might
be
> a security risk?
>
>
> Anthony
>
> -Original Message-
> From: Jeff Trent [mailto:
> However, if someone is familiar with the db schema and the
> naming convention the developer used, that user could subvert
> the application by writing his own version of the UI which
> contains an "Administrative User Flag" field (or any other
> field for that matter) and the basic form process
Jeff,
Are you asking if book marking a URL that contains query parameters might be
a security risk?
Anthony
-Original Message-
From: Jeff Trent [mailto:[EMAIL PROTECTED]]
Sent: Monday, May 07, 2001 8:37 AM
To: [EMAIL PROTECTED]
Subject: Potential Security Flaw in Struts MVC
I may be
I may be wrong about this (only been working w/
Struts for a week now). But I do see a potential security flaw in struts
that I would like to hear from others regarding.
Consider a simple set of struts classes that
represent a user in a system. You would probably have classes that look
so
60 matches
Mail list logo