You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@struts.apache.org by "Lee Clemens (JIRA)" <ji...@apache.org> on 2009/01/08 08:48:46 UTC

[jira] Created: (WW-2949) Passing paremeter value from Action to Action requires a security vulnerability

Passing paremeter value from Action to Action requires a security vulnerability
-------------------------------------------------------------------------------

                 Key: WW-2949
                 URL: https://issues.apache.org/struts/browse/WW-2949
             Project: Struts 2
          Issue Type: Bug
          Components: Core Actions
    Affects Versions: 2.1.6
         Environment: All
            Reporter: Lee Clemens


To pass parameter value from Action->form->Action, need to use URL parameter or <s:hidden>

URL can be manipulated manually and hidden form field can be altered via Firefox plugin, etc

This presents a security issue, since the form's hidden attribute can be manipulated via a Firefox plugin, etc and the URL can be altered directly

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

[jira] Updated: (WW-2949) Passing paremeter value from Action to Action requires a security vulnerability

Posted by "Lee Clemens (JIRA)" <ji...@apache.org>.

     [ https://issues.apache.org/struts/browse/WW-2949?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Lee Clemens updated WW-2949:
----------------------------

      Priority: Minor  (was: Major)
    Issue Type: Improvement  (was: Bug)

I see your point. However, if Struts 2 provided a way to pass information between two actions, it would be kept serverside and hidden/form attributes would not be necessary to get the data over the gap.

While I understand this is not a bug with the existing framework, I feel it would be a useful enhancement to enable/encourage the use of serverside only parameters within the construct of the framework.

I have changed this to Improvement - Minor, but I would be happy to hear any reason this can't/shouldn't be done to keep the non-editable form data serverside.

> Passing paremeter value from Action to Action requires a security vulnerability
> -------------------------------------------------------------------------------
>
>                 Key: WW-2949
>                 URL: https://issues.apache.org/struts/browse/WW-2949
>             Project: Struts 2
>          Issue Type: Improvement
>          Components: Core Actions
>    Affects Versions: 2.1.6
>         Environment: All
>            Reporter: Lee Clemens
>            Priority: Minor
>
> To pass parameter value from Action->form->Action, need to use URL parameter or <s:hidden>
> URL can be manipulated manually and hidden form field can be altered via Firefox plugin, etc
> This presents a security issue, since the form's hidden attribute can be manipulated via a Firefox plugin, etc and the URL can be altered directly

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

[jira] Resolved: (WW-2949) Passing paremeter value from Action to Action requires a security vulnerability

Posted by "Philip Luppens (JIRA)" <ji...@apache.org>.

     [ https://issues.apache.org/struts/browse/WW-2949?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Philip Luppens resolved WW-2949.
--------------------------------

    Resolution: Not A Problem

I'm not sure I'm getting your point: of course anything that you submit can be altered. If you don't want that, use the session or store it somewhere where it cannot be tampered with (database, filesystem, ..). Of course you have to check everything serverside what your users submit, but that's Webdevelopment 101.

If I misunderstood, feel free to reopen, but for now I'm marking this as 'Not a problem'.

> Passing paremeter value from Action to Action requires a security vulnerability
> -------------------------------------------------------------------------------
>
>                 Key: WW-2949
>                 URL: https://issues.apache.org/struts/browse/WW-2949
>             Project: Struts 2
>          Issue Type: Bug
>          Components: Core Actions
>    Affects Versions: 2.1.6
>         Environment: All
>            Reporter: Lee Clemens
>
> To pass parameter value from Action->form->Action, need to use URL parameter or <s:hidden>
> URL can be manipulated manually and hidden form field can be altered via Firefox plugin, etc
> This presents a security issue, since the form's hidden attribute can be manipulated via a Firefox plugin, etc and the URL can be altered directly

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

[jira] Commented: (WW-2949) Passing paremeter value from Action to Action requires a security vulnerability

Posted by "Dave Newton (JIRA)" <ji...@apache.org>.

    [ https://issues.apache.org/struts/browse/WW-2949?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=45453#action_45453 ] 

Dave Newton commented on WW-2949:
---------------------------------

Keeping it in session is server-side, and a well-known mechanism.

I guess I'd need to see a use-case, or an example of what you'd want this to look like. Once the form is rendered the action that rendered it is gone--without thinking about it in depth it seems like any solution would use one of the existing mechanisms for keeping the data anyway, so I'm not really sure what you're proposing.

> Passing paremeter value from Action to Action requires a security vulnerability
> -------------------------------------------------------------------------------
>
>                 Key: WW-2949
>                 URL: https://issues.apache.org/struts/browse/WW-2949
>             Project: Struts 2
>          Issue Type: Improvement
>          Components: Core Actions
>    Affects Versions: 2.1.6
>         Environment: All
>            Reporter: Lee Clemens
>            Priority: Minor
>
> To pass parameter value from Action->form->Action, need to use URL parameter or <s:hidden>
> URL can be manipulated manually and hidden form field can be altered via Firefox plugin, etc
> This presents a security issue, since the form's hidden attribute can be manipulated via a Firefox plugin, etc and the URL can be altered directly

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

[jira] Commented: (WW-2949) Passing paremeter value from Action to Action requires a security vulnerability

Posted by "Rene Gielen (JIRA)" <ji...@apache.org>.

    [ https://issues.apache.org/struts/browse/WW-2949?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=45454#action_45454 ] 

Rene Gielen commented on WW-2949:
---------------------------------

You may want to have a look at scope plugin [1], which provides a S2 way to ease targeted state transfer between actions (via session, of course). But this issue is really a non-issue :)

[1] http://cwiki.apache.org/S2PLUGINS/scope-plugin.html

> Passing paremeter value from Action to Action requires a security vulnerability
> -------------------------------------------------------------------------------
>
>                 Key: WW-2949
>                 URL: https://issues.apache.org/struts/browse/WW-2949
>             Project: Struts 2
>          Issue Type: Improvement
>          Components: Core Actions
>    Affects Versions: 2.1.6
>         Environment: All
>            Reporter: Lee Clemens
>            Priority: Minor
>
> To pass parameter value from Action->form->Action, need to use URL parameter or <s:hidden>
> URL can be manipulated manually and hidden form field can be altered via Firefox plugin, etc
> This presents a security issue, since the form's hidden attribute can be manipulated via a Firefox plugin, etc and the URL can be altered directly

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

[jira] Closed: (WW-2949) Passing paremeter value from Action to Action requires a security vulnerability

Posted by "Lee Clemens (JIRA)" <ji...@apache.org>.

     [ https://issues.apache.org/struts/browse/WW-2949?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Lee Clemens closed WW-2949.
---------------------------


Thank you all for your responses.

> Passing paremeter value from Action to Action requires a security vulnerability
> -------------------------------------------------------------------------------
>
>                 Key: WW-2949
>                 URL: https://issues.apache.org/struts/browse/WW-2949
>             Project: Struts 2
>          Issue Type: Improvement
>          Components: Core Actions
>    Affects Versions: 2.1.6
>         Environment: All
>            Reporter: Lee Clemens
>            Priority: Minor
>
> To pass parameter value from Action->form->Action, need to use URL parameter or <s:hidden>
> URL can be manipulated manually and hidden form field can be altered via Firefox plugin, etc
> This presents a security issue, since the form's hidden attribute can be manipulated via a Firefox plugin, etc and the URL can be altered directly

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.