You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@struts.apache.org by "Lukasz Lenart (JIRA)" <ji...@apache.org> on 2013/11/19 10:37:21 UTC

[jira] [Deleted] (WW-4245) User can change URL parameter to access not-authorized struts2 portlet

     [ https://issues.apache.org/jira/browse/WW-4245?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Lukasz Lenart deleted WW-4245:
------------------------------


> User can change URL parameter to access not-authorized struts2 portlet
> ----------------------------------------------------------------------
>
>                 Key: WW-4245
>                 URL: https://issues.apache.org/jira/browse/WW-4245
>             Project: Struts 2
>          Issue Type: Bug
>         Environment: Struts2-Portlet 2.3.15.1 
> IBM AIX 6.1
> Websphere Portal server 7.0.0.2
> Websphere Application server 7.0.0.21
>            Reporter: chenlin
>              Labels: patch
>   Original Estimate: 120h
>  Remaining Estimate: 120h
>
> All portlets are in same WAR:
>  
> Websphere Portal page 1 - Struts2 portlet 1 ( customer)  -User can access this page
> Websphere Portal page 2 - Struts2 portlet  2 (payment)  - User cannot access this page
>  
> User can change page 1 URL parameter "struts.portlet.action" from " QCPcustomerQCPbegin/p" to "QCPpaymentQCPbegin/p" , then can render "payment" portlet on page 1 which are not configured/authorized
>  
> original URL
> https://localhost/wps/myportal/sample/space/!ut/p/b1/04_SjzQyMjAxMjK0NNeP0I_KSyzLTE8syczPS8wB8aPM4s1DAoPdjcxMDCzCDCwMPP1MDI0t3CwMDEwMgAoikRX4-xq6gRS4h7oauhgaOBpSpt_CiDj9BjiAowEh_V76Uek5-UlAr4brR6EqxuIXvApAjgUrwOMaP4_83FT93KgcNzeL7MyAdEVFANvNh7g!/dl4/d5/L2dBISEvZ0FBIS9nQSEh/pw/Z7_7TQSG26408V080IN4138F80041/ren/m=view/s=normal/p=
> struts.portlet.action=QCPcustomerQCPbegin/p=Id=4620/p=struts.portlet.mode=view/-/#Z7_7TQSG26408V080IN4138F80041
>  
> Change URL
>  
> https://localhost/wps/myportal/sample/space/!ut/p/b1/04_SjzQyMjAxMjK0NNeP0I_KSyzLTE8syczPS8wB8aPM4s1DAoPdjcxMDCzCDCwMPP1MDI0t3CwMDEwMgAoikRX4-xq6gRS4h7oauhgaOBpSpt_CiDj9BjiAowEh_V76Uek5-UlAr4brR6EqxuIXvApAjgUrwOMaP4_83FT93KgcNzeL7MyAdEVFANvNh7g!/dl4/d5/L2dBISEvZ0FBIS9nQSEh/pw/Z7_7TQSG26408V080IN4138F80041/ren/m=view/s=normal/p=
> struts.portlet.action=QCPpaymentQCPbegin/p=Id=4620/p=struts.portlet.mode=view/-/#Z7_7TQSG26408V080IN4138F80041
> We have checked with IBM Team, they have mentioned the issue are not in their side. 



--
This message was sent by Atlassian JIRA
(v6.1#6144)