Here's a quick write up. Let me know if you have problems with it. I tried to use an example that is as real world as possible and that cannot necessarily be fixed with some user realm/role solution. Calvin --- Ted Husted <[EMAIL PROTECTED]> wrote: > Feel free. If you would like to document it, I'd be > happy to find a > place for it in the users guide. > > Calvin Yu wrote: > > > > I think that this potential exploit should > probably be > > thoroughly documented, along with potential > > workarounds. Last thing we want is to have Struts > > being tagged as being unsecure. __________________________________________________ Do You Yahoo!? Yahoo! Auctions - buy the things you want at great prices http://auctions.yahoo.com/
Security considerations when reusing ActionForms and Actions Because Struts will blindly copy fields from an HTML form to a ActionForm object, developers should take caution when reusing ActionForms and Actions. For example, suppose you have a subclass of ActionForm called UserForm which allows a user to update their profile information. This form has common user related attributes like 'password', 'firstName', and 'lastName'. Now if your web application is a co-branded application, a common occurence is to have users of one brand have features that are not available to users of other brands. To accommodate this, you add attributes to the UserForm such as 'wirelessAccess' and 'emailReports', and have your Action determine that these fields are disabled if null. Well, what can happen now is that a very knowlegdeable user of any brand can submit a custom HTML form that has those attributes and enable them. Note that this problem does not exist only for co-branded web applications but can occur for other web application as well. Workarounds * Perform validation in the ActionForm or Action that makes sure that you are getting the values you are expecting to get in the given context. * Create separate forms for the different contexts.