You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@struts.apache.org by "Montri M (JIRA)" <ji...@apache.org> on 2016/06/23 08:40:16 UTC

[jira] [Commented] (WW-4601) webconsole can always be accessed

    [ https://issues.apache.org/jira/browse/WW-4601?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15346056#comment-15346056 ] 

Montri M commented on WW-4601:
------------------------------

Well, just having it exists is enough to scare our client away, even if it couldn't perform any action.   Is there anyway to disable it?  

> webconsole can always be accessed
> ---------------------------------
>
>                 Key: WW-4601
>                 URL: https://issues.apache.org/jira/browse/WW-4601
>             Project: Struts 2
>          Issue Type: Bug
>            Reporter: Alireza Fattahi
>             Fix For: 2.5.x
>
>
> It is possible that you get the webconsole.html in dev without having debug in the stack trace
> I found that you can access /stuts/webconsole.html to see this html.  For example (thanks jgeppert! ) :
> {code}
> http://struts.jgeppert.com/struts2-jquery-showcase/struts/webconsole.html
> {code}
> I wonder if this should be fixed and if this can be used for attackers.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)