You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@struts.apache.org by "Hookom, Jacob" <Ja...@redline.mckhboc.com> on 2003/06/20 21:25:58 UTC
RE: [FRIDAY] Got A Security Hole?
One of the most interesting security holes that MANY applications have are
the use of wild cards in dynamic sql queries....
login: admin
password: '+%+'
or those likes... try it sometime
--------
Jacob Hookom
Senior Programmer/Analyst
McKesson Medical Surgical
Golden Valley, MN
-----Original Message-----
From: Jing Zhou [mailto:jing@netspread.com]
Sent: Friday, June 20, 2003 2:29 PM
To: Struts Users Mailing List
Subject: [FRIDAY] Got A Security Hole?
It's Friday. Let us talk about some light issues like security problems ...
The Struts framework has a transaction token mechanism. It seems
to be able to protect developers. But in some cases, it does not if
session scoped form beans are used.
See the detail description of the potential security issues at
http://www.netspread.com/tips2.html#security
More interesting, some very very experienced developers
would think they are absolutely safe if they use request scoped
form beans. It may not be the case as they think. Some
mistakes are possible, in open source projects, in samples of
published books, if the authors are not aware of them.
Jing
Netspread Carrier at http://www.netspread.com
"Making Simple Things Crazily Simpler."
---------------------------------------------------------------------
To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: struts-user-help@jakarta.apache.org
Re: [FRIDAY] Got A Security Hole?
Posted by Joseph Fifield <jf...@programmerplanet.org>.
This is certainly not Struts specific, but it may be useful...
http://www.owasp.org/
Joe
----- Original Message -----
From: "Jing Zhou" <ji...@netspread.com>
To: "Struts Users Mailing List" <st...@jakarta.apache.org>
Sent: Friday, June 20, 2003 3:59 PM
Subject: Re: [FRIDAY] Got A Security Hole?
> Does anyone know a published web site or book that covers
> potential security issues for Struts developers in general?
>
> Jing
>
> ----- Original Message -----
> From: "Hookom, Jacob" <Ja...@redline.mckhboc.com>
> To: "'Struts Users Mailing List'" <st...@jakarta.apache.org>
> Sent: Friday, June 20, 2003 2:25 PM
> Subject: RE: [FRIDAY] Got A Security Hole?
>
>
> > One of the most interesting security holes that MANY applications have
are
> > the use of wild cards in dynamic sql queries....
> >
> > login: admin
> > password: '+%+'
> >
> > or those likes... try it sometime
> >
> > --------
> > Jacob Hookom
> > Senior Programmer/Analyst
> > McKesson Medical Surgical
> > Golden Valley, MN
> >
> >
> > -----Original Message-----
> > From: Jing Zhou [mailto:jing@netspread.com]
> > Sent: Friday, June 20, 2003 2:29 PM
> > To: Struts Users Mailing List
> > Subject: [FRIDAY] Got A Security Hole?
> >
> >
> > It's Friday. Let us talk about some light issues like security problems
> ...
> >
> > The Struts framework has a transaction token mechanism. It seems
> > to be able to protect developers. But in some cases, it does not if
> > session scoped form beans are used.
> >
> > See the detail description of the potential security issues at
> > http://www.netspread.com/tips2.html#security
> > More interesting, some very very experienced developers
> > would think they are absolutely safe if they use request scoped
> > form beans. It may not be the case as they think. Some
> > mistakes are possible, in open source projects, in samples of
> > published books, if the authors are not aware of them.
> >
> >
> > Jing
> > Netspread Carrier at http://www.netspread.com
> > "Making Simple Things Crazily Simpler."
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
> > For additional commands, e-mail: struts-user-help@jakarta.apache.org
> >
> >
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: struts-user-help@jakarta.apache.org
>
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: struts-user-help@jakarta.apache.org
Re: [FRIDAY] Got A Security Hole?
Posted by Jing Zhou <ji...@netspread.com>.
Does anyone know a published web site or book that covers
potential security issues for Struts developers in general?
Jing
----- Original Message -----
From: "Hookom, Jacob" <Ja...@redline.mckhboc.com>
To: "'Struts Users Mailing List'" <st...@jakarta.apache.org>
Sent: Friday, June 20, 2003 2:25 PM
Subject: RE: [FRIDAY] Got A Security Hole?
> One of the most interesting security holes that MANY applications have are
> the use of wild cards in dynamic sql queries....
>
> login: admin
> password: '+%+'
>
> or those likes... try it sometime
>
> --------
> Jacob Hookom
> Senior Programmer/Analyst
> McKesson Medical Surgical
> Golden Valley, MN
>
>
> -----Original Message-----
> From: Jing Zhou [mailto:jing@netspread.com]
> Sent: Friday, June 20, 2003 2:29 PM
> To: Struts Users Mailing List
> Subject: [FRIDAY] Got A Security Hole?
>
>
> It's Friday. Let us talk about some light issues like security problems
...
>
> The Struts framework has a transaction token mechanism. It seems
> to be able to protect developers. But in some cases, it does not if
> session scoped form beans are used.
>
> See the detail description of the potential security issues at
> http://www.netspread.com/tips2.html#security
> More interesting, some very very experienced developers
> would think they are absolutely safe if they use request scoped
> form beans. It may not be the case as they think. Some
> mistakes are possible, in open source projects, in samples of
> published books, if the authors are not aware of them.
>
>
> Jing
> Netspread Carrier at http://www.netspread.com
> "Making Simple Things Crazily Simpler."
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: struts-user-help@jakarta.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: struts-user-help@jakarta.apache.org