You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@struts.apache.org by "chenlin (JIRA)" <ji...@apache.org> on 2013/11/19 10:17:21 UTC
[jira] [Created] (WW-4245) User can change URL parameter to access
not-authorized struts2 portlet
chenlin created WW-4245:
---------------------------
Summary: User can change URL parameter to access not-authorized struts2 portlet
Key: WW-4245
URL: https://issues.apache.org/jira/browse/WW-4245
Project: Struts 2
Issue Type: Bug
Components: Plugin - Portlet
Affects Versions: 2.3.15.1
Environment: Struts2-Portlet 2.3.15.1
IBM AIX 6.1
Websphere Portal server 7.0.0.2
Websphere Application server 7.0.0.21
Reporter: chenlin
All portlets are in same WAR:
Websphere Portal page 1 - Struts2 portlet 1 ( customer) -User can access this page
Websphere Portal page 2 - Struts2 portlet 2 (payment) - User cannot access this page
User can change page 1 URL parameter "struts.portlet.action" from " QCPcustomerQCPbegin/p" to "QCPpaymentQCPbegin/p" , then can render "payment" portlet on page 1 which are not configured/authorized
original URL
https://localhost/wps/myportal/sample/space/!ut/p/b1/04_SjzQyMjAxMjK0NNeP0I_KSyzLTE8syczPS8wB8aPM4s1DAoPdjcxMDCzCDCwMPP1MDI0t3CwMDEwMgAoikRX4-xq6gRS4h7oauhgaOBpSpt_CiDj9BjiAowEh_V76Uek5-UlAr4brR6EqxuIXvApAjgUrwOMaP4_83FT93KgcNzeL7MyAdEVFANvNh7g!/dl4/d5/L2dBISEvZ0FBIS9nQSEh/pw/Z7_7TQSG26408V080IN4138F80041/ren/m=view/s=normal/p=
struts.portlet.action=QCPcustomerQCPbegin/p=Id=4620/p=struts.portlet.mode=view/-/#Z7_7TQSG26408V080IN4138F80041
Change URL
https://localhost/wps/myportal/sample/space/!ut/p/b1/04_SjzQyMjAxMjK0NNeP0I_KSyzLTE8syczPS8wB8aPM4s1DAoPdjcxMDCzCDCwMPP1MDI0t3CwMDEwMgAoikRX4-xq6gRS4h7oauhgaOBpSpt_CiDj9BjiAowEh_V76Uek5-UlAr4brR6EqxuIXvApAjgUrwOMaP4_83FT93KgcNzeL7MyAdEVFANvNh7g!/dl4/d5/L2dBISEvZ0FBIS9nQSEh/pw/Z7_7TQSG26408V080IN4138F80041/ren/m=view/s=normal/p=
struts.portlet.action=QCPpaymentQCPbegin/p=Id=4620/p=struts.portlet.mode=view/-/#Z7_7TQSG26408V080IN4138F80041
We have checked with IBM Team, they have mentioned the issue are not in their side.
--
This message was sent by Atlassian JIRA
(v6.1#6144)