RE: Potential Security Flaw in Struts MVC

no!  haha!   to remove yourself from the list, send an email to [EMAIL PROTECTED]   oh man, too much coffee... -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]Sent: Friday, June 01, 2001 4:20 PMTo: [EMAIL PROTECTED]Subject: Re: Potential Security Flaw in Struts

Re: Potential Security Flaw in Struts MVC

  please remove me from this list.

RE: Potential Security Flaw in Struts MVC

Jon. -Original Message- From: Jim Richards [mailto:[EMAIL PROTECTED]] Sent: 31 May 2001 09:21 To: [EMAIL PROTECTED] Subject: Re: Potential Security Flaw in Struts MVC At 11:53 PM 30/05/01 -0700, you wrote: >A good way of removing the bucketloads :-} from your Action classes is to >subclass Ac

Re: Potential Security Flaw in Struts MVC

At 11:53 PM 30/05/01 -0700, you wrote: >A good way of removing the bucketloads :-} from your Action classes is to >subclass ActionServlet and implement processActionPerform to do the logon >check. It's not just for login though, that was the example I used, every action that generates a form need

Re: Potential Security Flaw in Struts MVC

ent: Wednesday, May 30, 2001 11:08 PM Subject: Re: Potential Security Flaw in Struts MVC > > >> In the case at hand, nothing stops your user from logging on (so your > >> security checks won't catch anything) and then hand typing a URL with > >> query string

Re: Potential Security Flaw in Struts MVC

>> In the case at hand, nothing stops your user from logging on (so your >> security checks won't catch anything) and then hand typing a URL with >> query string parameters that maliciously or accidentally try to change >> things in the system. If the user is successful at doing this, it's shame

Re: Potential Security Flaw in Struts MVC

I've sure my ears will be ringing at home that night :^) - Original Message - From: "Craig R. McClanahan" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Thursday, May 31, 2001 1:01 AM Subject: Re: Potential Security Flaw in Struts MVC > > >

RE: Potential Security Flaw in Struts MVC

On Tue, 8 May 2001, Manabendra Sarkar wrote: > but if i use external security mechanism, will it be dynamic? i mean to say, > if the admin wants to change his/her password from the application > (using admin interface), how can he/she do that without restarting the > server? > There is no gl

Re: Potential Security Flaw in Struts MVC

On Mon, 7 May 2001, Jeff Trent wrote: > Ah, this maybe a problem in the way I've adapted Struts. I reflect all UserForm >method calls directly into the contained User object owned by the UserForm. So for >instance, I have > > public class UserForm extends ActionsForm > { > protected Us

RE: Potential Security Flaw in Struts MVC....Christian.......are you lurking about?

[EMAIL PROTECTED] Barracuda - Open-source MVC Component Framework for Webapps http://barracuda.enhydra.org "What a great time to be a Geek" > -Original Message- > From: Jonathan [mailto:[EMAIL PROTECTED]] > Sent: Wednesday, May 09, 2

Re: Potential Security Flaw in Struts MVC....Christian.......are you lurking about?

PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, May 09, 2001 9:40 AM Subject: RE: Potential Security Flaw in Struts MVC > > > The way I usually handle this sort of problem is to delegate the security > back towards the model layer of code. I will usually have some sort

RE: Potential Security Flaw in Struts MVC

ns on methods. Sean -Original Message- From: Christian Cryder [mailto:[EMAIL PROTECTED]] Sent: Monday, May 07, 2001 11:15 AM To: Struts-User Subject: RE: Potential Security Flaw in Struts MVC I usually just lurk on this list, but I think I'll pipe in here. I think Jeff raises a valid

RE: Potential Security Flaw in Struts MVC

: Struts-User Subject: RE: Potential Security Flaw in Struts MVC I usually just lurk on this list, but I think I'll pipe in here. I think Jeff raises a valid point, and it's one of my particular gripes about the webapp paradigm (certainly not Struts in general): every "action"

RE: Potential Security Flaw in Struts MVC

Is it just me or has the list received this message well over 10 times? Chris -Original Message- From: Jeff Trent [mailto:[EMAIL PROTECTED]] Sent: Monday, May 07, 2001 12:51 PM To: [EMAIL PROTECTED] Subject: Re: Potential Security Flaw in Struts MVC Curt, I don't dispute what

Re: Potential Security Flaw in Struts MVC

Here's a quick write up. Let me know if you have problems with it. I tried to use an example that is as real world as possible and that cannot necessarily be fixed with some user realm/role solution. Calvin --- Ted Husted <[EMAIL PROTECTED]> wrote: > Feel free. If you would like to document i

Re: Potential Security Flaw in Struts MVC

fy'" <[EMAIL PROTECTED]> Sent: Tuesday, May 08, 2001 8:08 AM Subject: RE: Potential Security Flaw in Struts MVC > but if i use external security mechanism, will it be dynamic? i mean to say, > if the admin wants to change his/her password from the application > (using admi

RE: Potential Security Flaw in Struts MVC

TECTED]] > Sent: Monday, May 07, 2001 5:57 PM > To: [EMAIL PROTECTED] > Subject: Re: Potential Security Flaw in Struts MVC > > A basic problem with most web development is that people are building > security into their applications. It should be handled outside of the >

Re: Potential Security Flaw in Struts MVC

Ted, I wish I had time. Now that I have three kids I can't spend any spare cycle(s) on anything but changing diapers! - Original Message - From: "Ted Husted" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Monday, May 07, 2001 7:46 PM Subject: Re: Potent

Re: Potential Security Flaw in Struts MVC

Feel free to submit some code. Jeff Trent wrote: > I like it! I second this request totally!

Re: Potential Security Flaw in Struts MVC

This is open source. Anyone is welcome to jump in and join the "management" by submitting code. Jeff Trent wrote: > Therefore, if I haven't reached my quota today, I'd like to suggest to > management that there is a bean property (or something) that results in form > fields being propogated accro

Re: Potential Security Flaw in Struts MVC

Feel free. If you would like to document it, I'd be happy to find a place for it in the users guide. Calvin Yu wrote: > > I think that this potential exploit should probably be > thoroughly documented, along with potential > workarounds. Last thing we want is to have Struts > being tagged as be

RE: Potential Security Flaw in Struts MVC

Anthony -Original Message- From: George, Carl [mailto:[EMAIL PROTECTED]] Sent: Monday, May 07, 2001 1:01 PM To: '[EMAIL PROTECTED]' Subject: RE: Potential Security Flaw in Struts MVC I think you are trying to make things too hard, you could handle this relatively simple in tw

RE: Potential Security Flaw in Struts MVC

AIL PROTECTED]Subject: Re: Potential Security Flaw in Struts MVC Ah, this maybe a problem in the way I've adapted Struts.  I reflect all UserForm method calls directly into the contained User object owned by the UserForm.  So for instance, I have   public class UserForm extends Action

Re: Potential Security Flaw in Struts MVC

ee my original concern?  Maybe I need to separate the model from the form a little more than what I have.   - jeff   - Original Message - From: BryanField-Elliot To: [EMAIL PROTECTED] Sent: Monday, May 07, 2001 4:38 PM Subject: Re: Potential Security

Re: Potential Security Flaw in Struts MVC

>I think I must be missing something... I don't see how a user/hacker >is >going >to gain access to the system if one is using security. hackers arent always from the outside, you also have to protect yourself from legitimate users, who could try to force the system. Not every secure user is

Re: Potential Security Flaw in Struts MVC

from user screens (yet). Im glad you brought the issue up, because it is something that could be overlooked. :) > > - jeff > > - Original Message - > From: "Peter Alfors" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Monday, May 07, 2001 4:14

RE: Potential Security Flaw in Struts MVC

rtin Duffy [mailto:[EMAIL PROTECTED]]Sent: Monday, May 07, 2001 5:27 AMTo: [EMAIL PROTECTED]Subject: Re: Potential Security Flaw in Struts MVC A basic problem with most web development is that people are building security into their applications. It should be handled outside of the a

Re: Potential Security Flaw in Struts MVC

jeff   - Original Message - From: Bryan Field-Elliot To: [EMAIL PROTECTED] Sent: Monday, May 07, 2001 4:38 PM Subject: Re: Potential Security Flaw in Struts MVC Either you are misunderstanding Struts, or I am misunderstanding you.Struts will populate your UserForm for you, prior

Re: Potential Security Flaw in Struts MVC

We are doing something very similar. We are using the jaas security to map each action to a permission. This way, each user is mapped to the actions that he/she is allowed to perform. Each request is routed through a security check to verify that the currently logged in user has permissions to th

Re: Potential Security Flaw in Struts MVC

- Original Message - From: "Peter Alfors" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Monday, May 07, 2001 4:14 PM Subject: Re: Potential Security Flaw in Struts MVC > Sure. You could create a jsp page that had the fields you would like, and even > call off a

Re: Potential Security Flaw in Struts MVC

From: BryanField-Elliot To: [EMAIL PROTECTED] Sent: Monday, May 07, 2001 1:14 PM Subject: Re: Potential Security Flaw in Struts MVC There is a security risk here as you describe, if (and only if)you are using a generic introspection-based function

Re: Potential Security Flaw in Struts MVC

.         - Original Message - From: Jeff Trent To: [EMAIL PROTECTED] Sent: Monday, May 07, 2001 6:37 PM Subject: Potential Security Flaw in Struts MVC I may be wrong about this (only been working w/ Struts for a week now).  But I do see a potential security flaw in struts that

RE: Potential Security Flaw in Struts MVC

> I think I must be missing something... I don't see how a > user/hacker is going to gain access to the system if one > is using security. If you route each request through a > security check (realm) then you should be able to determine > if the current user has access to the requested page/act

RE: Potential Security Flaw in Struts MVC

At 12:17 PM 5/7/2001 -0700, you wrote: >Role-Based Action Execution. >Add the ability to require the current user to be in a >particular security role before they can execute a >particular action. I just wanted to pipe in here because we're integrating Struts into our stuff (Slowly!) The Express

Re: Potential Security Flaw in Struts MVC

r Alfors" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Monday, May 07, 2001 1:56 PM > Subject: Re: Potential Security Flaw in Struts MVC > > > Wouldn't the hacker have to get the new form class into the classpath of > the > > server since

RE: Potential Security Flaw in Struts MVC

:[EMAIL PROTECTED]] Sent: Monday, May 07, 2001 2:47 PM To: [EMAIL PROTECTED] Subject: Re: Potential Security Flaw in Struts MVC Beyond the scope of my brain container class (maybe in a week or so I'll know how to translate what you just said in terms of what I know) :^> - Original

Re: Potential Security Flaw in Struts MVC

m: "Christian Cryder" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Monday, May 07, 2001 1:52 PM Subject: RE: Potential Security Flaw in Struts MVC > I usually just lurk on this list, but I think I'll pipe in here. > > I think Curt raises a valid point,

RE: Potential Security Flaw in Struts MVC

ions or events as real > objects, not just Strings. > > Anyway, I'd be curious to hear thoughts and > feedback, and to know how others > have approached this particular type of problem... > > Christian > > Christian

Re: Potential Security Flaw in Struts MVC

stian > > Christian Cryder > [EMAIL PROTECTED] > Barracuda - Open-source MVC Component Framework for Webapps > http://barracuda.enhydra.org > > "What a great time to be a Geek

Re: Potential Security Flaw in Struts MVC

No, I can write a form locaally and have the action run on your server... - Original Message - From: "Peter Alfors" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Monday, May 07, 2001 1:56 PM Subject: Re: Potential Security Flaw in Struts MVC > Wouldn

Re: Potential Security Flaw in Struts MVC

ryder" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Monday, May 07, 2001 1:52 PM Subject: RE: Potential Security Flaw in Struts MVC > I usually just lurk on this list, but I think I'll pipe in here. > > I think Curt raises a valid point, and it's one o

Re: Potential Security Flaw in Struts MVC

Christian, You kick ass! Apologies to the sensitive but that was a great explanation of a very obscure but important problem. Bryan Christian Cryder wrote: >I usually just lurk on this list, but I think I'll pipe in here. > >

Re: Potential Security Flaw in Struts MVC

ECTED] Sent: Monday, May 07, 2001 1:14 PM Subject: Re: Potential Security Flaw in Struts MVC There is a security risk here as you describe, if (and only if) you are using a generic introspection-based function (like Struts' PropertyUtils.copyBean) to copy the values from the UserF

Re: Potential Security Flaw in Struts MVC

ing concention, they can > > write their own form to > > override the administrative-level fields above. > > > > > > - Original Message - > > From: "Anthony Martin" <[EMAIL PROTECTED]> > > To: <[EMAIL PROTECTED]>

Re: Potential Security Flaw in Struts MVC

Title: RE: Potential Security Flaw in Struts MVC Beyond the scope of my brain container class (maybe in a week or so I'll know how to translate what you just said in terms of what I know)  :^>   - Original Message - From: Jason Chaffee To: '[EMAIL PROTECTED

Re: Potential Security Flaw in Struts MVC

depends.  He would have a session if he has enrolled already... - Original Message - From: Hogan, John To: '[EMAIL PROTECTED]' Sent: Monday, May 07, 2001 1:09 PM Subject: RE: Potential Security Flaw in Struts MVC Wouldn't this not be a conc

Re: Potential Security Flaw in Struts MVC

ions. I haven't actually ever found a good, consise and reasonably complete article on them. Will - Original Message - From: "Jeff Trent" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Monday, May 07, 2001 12:51 PM Subject: Re: Potential Security Flaw in Str

RE: Potential Security Flaw in Struts MVC

PMTo: '[EMAIL PROTECTED]'Subject: RE: Potential Security Flaw in Struts MVC Wouldn't this not be a concern because the user would never be in the session on the target server? -Original Message-From: Jeff Trent [mailto:[EMAIL PROTECTED]]Sent: Monday, May

RE: Potential Security Flaw in Struts MVC

- "What a great time to be a Geek" > -Original Message- > From: Curt Hagenlocher [mailto:[EMAIL PROTECTED]] > Sent: Monday, May 07, 2001 10:11 AM > To: '[EMAIL PROTECTED]' > Subject: RE: Potential Security Flaw in Struts

Re: Potential Security Flaw in Struts MVC

concention, they can write their own form to > override the administrative-level fields above. > > - Original Message - > From: "Anthony Martin" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Monday, May 07, 2001 11:59 AM > Subject: RE: Poten

RE: Potential Security Flaw in Struts MVC

- "What a great time to be a Geek" > -Original Message- > From: Curt Hagenlocher [mailto:[EMAIL PROTECTED]] > Sent: Monday, May 07, 2001 10:11 AM > To: '[EMAIL PROTECTED]' > Subject: RE: Potential Security Flaw in Struts

Re: Potential Security Flaw in Struts MVC

> > - Original Message - > From: "Anthony Martin" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Monday, May 07, 2001 11:59 AM > Subject: RE: Potential Security Flaw in Struts MVC > > > > Jeff, > > > > Are you asking if b

RE: Potential Security Flaw in Struts MVC

Title: RE: Potential Security Flaw in Struts MVC You can easily guard against this by using simple JavaBeans in the presentation layer and having  your action class do the persistant storage from you JavaBean view layer. -Original Message- From: Jeff Trent [mailto:[EMAIL PROTECTED

Re: Potential Security Flaw in Struts MVC

There is a security risk here as you describe, if (and only if) you are using a generic introspection-based function (like Struts' PropertyUtils.copyBean) to copy the values from the UserForm object to the User object. There are several ways to avoid this -- 1. Don't put an admin flag "setter"

RE: Potential Security Flaw in Struts MVC

Wouldn't this not be a concern because the user would never be in the session on the target server? -Original Message-From: Jeff Trent [mailto:[EMAIL PROTECTED]]Sent: Monday, May 07, 2001 11:37 AMTo: [EMAIL PROTECTED]Subject: Potential Security Flaw in Struts MVC I m

Re: Potential Security Flaw in Struts MVC

, 2001 12:10 PM Subject: RE: Potential Security Flaw in Struts MVC > > However, if someone is familiar with the db schema and the > > naming convention the developer used, that user could subvert > > the application by writing his own version of the UI which > > contain

Re: Potential Security Flaw in Struts MVC

t; Sent: Monday, May 07, 2001 11:59 AM Subject: RE: Potential Security Flaw in Struts MVC > Jeff, > > Are you asking if book marking a URL that contains query parameters might be > a security risk? > > > Anthony > > -Original Message- > From: Jeff Trent [mailto:

RE: Potential Security Flaw in Struts MVC

> However, if someone is familiar with the db schema and the > naming convention the developer used, that user could subvert > the application by writing his own version of the UI which > contains an "Administrative User Flag" field (or any other > field for that matter) and the basic form process

RE: Potential Security Flaw in Struts MVC

Jeff, Are you asking if book marking a URL that contains query parameters might be a security risk? Anthony -Original Message- From: Jeff Trent [mailto:[EMAIL PROTECTED]] Sent: Monday, May 07, 2001 8:37 AM To: [EMAIL PROTECTED] Subject: Potential Security Flaw in Struts MVC I may be

Potential Security Flaw in Struts MVC

I may be wrong about this (only been working w/ Struts for a week now).  But I do see a potential security flaw in struts that I would like to hear from others regarding.   Consider a simple set of struts classes that represent a user in a system. You would probably have classes that look so