You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@struts.apache.org by "ASF subversion and git services (JIRA)" <ji...@apache.org> on 2016/07/08 04:41:11 UTC
[jira] [Commented] (WW-4601) webconsole can always be accessed
[ https://issues.apache.org/jira/browse/WW-4601?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15367211#comment-15367211 ]
ASF subversion and git services commented on WW-4601:
-----------------------------------------------------
Commit a317668213062d071de68e6008197d1ca6ed3dbc in struts's branch refs/heads/master from [~lukaszlenart]
[ https://git-wip-us.apache.org/repos/asf?p=struts.git;h=a317668 ]
WW-4601 Hides webconsole when not in devMode
> webconsole can always be accessed
> ---------------------------------
>
> Key: WW-4601
> URL: https://issues.apache.org/jira/browse/WW-4601
> Project: Struts 2
> Issue Type: Bug
> Reporter: Alireza Fattahi
> Fix For: 2.3.31, 2.5.3
>
>
> It is possible that you get the webconsole.html in dev without having debug in the stack trace
> I found that you can access /stuts/webconsole.html to see this html. For example (thanks jgeppert! ) :
> {code}
> http://struts.jgeppert.com/struts2-jquery-showcase/struts/webconsole.html
> {code}
> I wonder if this should be fixed and if this can be used for attackers.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)