> However, if someone is familiar with the db schema and the > naming convention the developer used, that user could subvert > the application by writing his own version of the UI which > contains an "Administrative User Flag" field (or any other > field for that matter) and the basic form processing in > Struts will kindly honor the request and set the > "Administrative Flag" on the user. Unless, of course, the > developer makes special provisions to prevent this behavior. Creating a secure web application means that *every* HTTP request should be checked for validity. Any data that comes from the client is suspect. This is no more or less true with Struts than without it. -- Curt Hagenlocher [EMAIL PROTECTED]
- Re: Potential Security Flaw in Struts MVC Jeff Trent
- Re: Potential Security Flaw in Struts MVC David Winterfeldt
- Re: Potential Security Flaw in Struts MVC Calvin Yu
- Re: Potential Security Flaw in Struts ... Ted Husted
- Re: Potential Security Flaw in St... Calvin Yu
- Re: Potential Security Flaw in Struts MVC Peter Alfors
- Re: Potential Security Flaw in Struts MVC Jeff Trent
- Re: Potential Security Flaw in Struts ... Peter Alfors
- Re: Potential Security Flaw in St... Jeff Trent
- Re: Potential Security Flaw i... Peter Alfors
- Re: Potential Security Flaw in Struts MVC Curt Hagenlocher
- Re: Potential Security Flaw in Struts MVC Jeff Trent
- Re: Potential Security Flaw in Struts MVC William Jaynes
- RE: Potential Security Flaw in Struts MVC Christian Cryder
- Re: Potential Security Flaw in Struts MVC Bryan Field-Elliot
- Re: Potential Security Flaw in Struts MVC Jeff Trent
- Re: Potential Security Flaw in Struts MVC Ted Husted
- Re: Potential Security Flaw in Struts MVC Peter Alfors
- RE: Potential Security Flaw in Struts MVC David Winterfeldt
- RE: Potential Security Flaw in Struts MVC Michael Rimov
- Re: Potential Security Flaw in Struts ... Peter Alfors
