You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@struts.apache.org by "chenlin (JIRA)" <ji...@apache.org> on 2013/11/19 10:17:21 UTC

[jira] [Created] (WW-4245) User can change URL parameter to access not-authorized struts2 portlet

chenlin created WW-4245:
---------------------------

             Summary: User can change URL parameter to access not-authorized struts2 portlet
                 Key: WW-4245
                 URL: https://issues.apache.org/jira/browse/WW-4245
             Project: Struts 2
          Issue Type: Bug
          Components: Plugin - Portlet
    Affects Versions: 2.3.15.1
         Environment: Struts2-Portlet 2.3.15.1 
IBM AIX 6.1
Websphere Portal server 7.0.0.2
Websphere Application server 7.0.0.21
            Reporter: chenlin


All portlets are in same WAR:
 
Websphere Portal page 1 - Struts2 portlet 1 ( customer)  -User can access this page
Websphere Portal page 2 - Struts2 portlet  2 (payment)  - User cannot access this page
 
User can change page 1 URL parameter "struts.portlet.action" from " QCPcustomerQCPbegin/p" to "QCPpaymentQCPbegin/p" , then can render "payment" portlet on page 1 which are not configured/authorized
 
original URL
https://localhost/wps/myportal/sample/space/!ut/p/b1/04_SjzQyMjAxMjK0NNeP0I_KSyzLTE8syczPS8wB8aPM4s1DAoPdjcxMDCzCDCwMPP1MDI0t3CwMDEwMgAoikRX4-xq6gRS4h7oauhgaOBpSpt_CiDj9BjiAowEh_V76Uek5-UlAr4brR6EqxuIXvApAjgUrwOMaP4_83FT93KgcNzeL7MyAdEVFANvNh7g!/dl4/d5/L2dBISEvZ0FBIS9nQSEh/pw/Z7_7TQSG26408V080IN4138F80041/ren/m=view/s=normal/p=
struts.portlet.action=QCPcustomerQCPbegin/p=Id=4620/p=struts.portlet.mode=view/-/#Z7_7TQSG26408V080IN4138F80041
 
Change URL
 
https://localhost/wps/myportal/sample/space/!ut/p/b1/04_SjzQyMjAxMjK0NNeP0I_KSyzLTE8syczPS8wB8aPM4s1DAoPdjcxMDCzCDCwMPP1MDI0t3CwMDEwMgAoikRX4-xq6gRS4h7oauhgaOBpSpt_CiDj9BjiAowEh_V76Uek5-UlAr4brR6EqxuIXvApAjgUrwOMaP4_83FT93KgcNzeL7MyAdEVFANvNh7g!/dl4/d5/L2dBISEvZ0FBIS9nQSEh/pw/Z7_7TQSG26408V080IN4138F80041/ren/m=view/s=normal/p=
struts.portlet.action=QCPpaymentQCPbegin/p=Id=4620/p=struts.portlet.mode=view/-/#Z7_7TQSG26408V080IN4138F80041

We have checked with IBM Team, they have mentioned the issue are not in their side. 



--
This message was sent by Atlassian JIRA
(v6.1#6144)