2014-08-07 11:43 GMT+02:00 Fabian Richter <[email protected]>: > Hey, > > we are wondering why struts params interceptor excludes > > ^application\..* > > as a parameter? > > To what kind of vulernatbilities would we open our applications if we allow > parameters starting with application to be set by struts?
It's the same as session param - but you have access to the whole ServletContext Regards -- Ćukasz + 48 606 323 122 http://www.lenart.org.pl/ --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
