Curt, I don't dispute what your saying. However, to the casual struts user this fact may be easily overlooked and exploited by a hacker. - jeff ----- Original Message ----- From: "Curt Hagenlocher" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Monday, May 07, 2001 12:10 PM Subject: RE: Potential Security Flaw in Struts MVC > > However, if someone is familiar with the db schema and the > > naming convention the developer used, that user could subvert > > the application by writing his own version of the UI which > > contains an "Administrative User Flag" field (or any other > > field for that matter) and the basic form processing in > > Struts will kindly honor the request and set the > > "Administrative Flag" on the user. Unless, of course, the > > developer makes special provisions to prevent this behavior. > > Creating a secure web application means that *every* HTTP > request should be checked for validity. Any data that comes > from the client is suspect. This is no more or less true > with Struts than without it. > > -- > Curt Hagenlocher > [EMAIL PROTECTED] >
- Re: Potential Security Flaw in Struts MVC David Winterfeldt
- Re: Potential Security Flaw in Struts MVC Calvin Yu
- Re: Potential Security Flaw in Struts ... Ted Husted
- Re: Potential Security Flaw in St... Calvin Yu
- Re: Potential Security Flaw in Struts MVC Peter Alfors
- Re: Potential Security Flaw in Struts MVC Jeff Trent
- Re: Potential Security Flaw in Struts ... Peter Alfors
- Re: Potential Security Flaw in St... Jeff Trent
- Re: Potential Security Flaw i... Peter Alfors
- RE: Potential Security Flaw in Struts MVC Curt Hagenlocher
- Re: Potential Security Flaw in Struts MVC Jeff Trent
- Re: Potential Security Flaw in Struts MVC William Jaynes
- RE: Potential Security Flaw in Struts MVC Christian Cryder
- Re: Potential Security Flaw in Struts MVC Bryan Field-Elliot
- Re: Potential Security Flaw in Struts MVC Jeff Trent
- Re: Potential Security Flaw in Struts MVC Ted Husted
- Re: Potential Security Flaw in Struts MVC Peter Alfors
- RE: Potential Security Flaw in Struts MVC David Winterfeldt
- RE: Potential Security Flaw in Struts MVC Michael Rimov
- Re: Potential Security Flaw in Struts ... Peter Alfors
- Re: Potential Security Flaw in Struts MVC Jeff Trent