You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@struts.apache.org by "Don Brown (JIRA)" <ji...@apache.org> on 2007/04/26 16:54:42 UTC
[jira] Commented: (WW-1769) Security hole in config parameter of
the viewSource action in struts2-showcase example app
[ https://issues.apache.org/struts/browse/WW-1769?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_40911 ]
Don Brown commented on WW-1769:
-------------------------------
Well, the fact is the showcase application isn't really meant to be ran anywhere but on your own computer for your own uses. We could add a setting, perhaps, that disables this view source capability for public instances, but I'd be surprised if this was the only security issue with the showcase application.
> Security hole in config parameter of the viewSource action in struts2-showcase example app
> ------------------------------------------------------------------------------------------
>
> Key: WW-1769
> URL: https://issues.apache.org/struts/browse/WW-1769
> Project: Struts 2
> Issue Type: Bug
> Affects Versions: 2.0.6
> Reporter: Janne Kario
> Fix For: 2.0.8
>
>
> I had two options.
> 1. Send this to thedailywtf.com
> 2. Create an issue
> Decided to do the latter.
> http://www.planetstruts.org/struts2-showcase/viewSource.action?config=file:/nfs/home3/home3/h/husted/public_html/struts2-showcase/WEB-INF/classes/struts-hangman.xml:9&className=com.opensymphony.xwork2.ActionSupport&page=/hangman//hangman/hangmanMenu.ft
> config parameter accepts all kinds of file paths.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.