You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@struts.apache.org by "ASF subversion and git services (JIRA)" <ji...@apache.org> on 2016/07/08 04:41:11 UTC

[jira] [Commented] (WW-4601) webconsole can always be accessed

    [ https://issues.apache.org/jira/browse/WW-4601?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15367211#comment-15367211 ] 

ASF subversion and git services commented on WW-4601:
-----------------------------------------------------

Commit a317668213062d071de68e6008197d1ca6ed3dbc in struts's branch refs/heads/master from [~lukaszlenart]
[ https://git-wip-us.apache.org/repos/asf?p=struts.git;h=a317668 ]

WW-4601 Hides webconsole when not in devMode


> webconsole can always be accessed
> ---------------------------------
>
>                 Key: WW-4601
>                 URL: https://issues.apache.org/jira/browse/WW-4601
>             Project: Struts 2
>          Issue Type: Bug
>            Reporter: Alireza Fattahi
>             Fix For: 2.3.31, 2.5.3
>
>
> It is possible that you get the webconsole.html in dev without having debug in the stack trace
> I found that you can access /stuts/webconsole.html to see this html.  For example (thanks jgeppert! ) :
> {code}
> http://struts.jgeppert.com/struts2-jquery-showcase/struts/webconsole.html
> {code}
> I wonder if this should be fixed and if this can be used for attackers.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)