Return-Path: X-Original-To: apmail-struts-user-archive@www.apache.org Delivered-To: apmail-struts-user-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 6CD8ED849 for ; Wed, 4 Jul 2012 12:57:47 +0000 (UTC) Received: (qmail 30039 invoked by uid 500); 4 Jul 2012 12:57:45 -0000 Delivered-To: apmail-struts-user-archive@struts.apache.org Received: (qmail 29921 invoked by uid 500); 4 Jul 2012 12:57:43 -0000 Mailing-List: contact user-help@struts.apache.org; run by ezmlm Precedence: bulk List-Unsubscribe: List-Help: List-Post: List-Id: "Struts Users Mailing List" Reply-To: "Struts Users Mailing List" Delivered-To: mailing list user@struts.apache.org Received: (qmail 29747 invoked by uid 99); 4 Jul 2012 12:57:42 -0000 Received: from minotaur.apache.org (HELO minotaur.apache.org) (140.211.11.9) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 04 Jul 2012 12:57:42 +0000 Received: from localhost (HELO mail-ob0-f176.google.com) (127.0.0.1) (smtp-auth username lukaszlenart, mechanism plain) by minotaur.apache.org (qpsmtpd/0.29) with ESMTP; Wed, 04 Jul 2012 12:57:42 +0000 Received: by obbtb18 with SMTP id tb18so4148644obb.35 for ; Wed, 04 Jul 2012 05:57:41 -0700 (PDT) MIME-Version: 1.0 Received: by 10.182.52.42 with SMTP id q10mr17156232obo.46.1341406661735; Wed, 04 Jul 2012 05:57:41 -0700 (PDT) Received: by 10.76.169.132 with HTTP; Wed, 4 Jul 2012 05:57:41 -0700 (PDT) In-Reply-To: References: Date: Wed, 4 Jul 2012 14:57:41 +0200 Message-ID: Subject: Re: data injection attack From: Lukasz Lenart To: Struts Users Mailing List Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable By removing setter for it ? Regards --=20 =C5=81ukasz + 48 606 323 122 http://www.lenart.org.pl/ 2012/7/4 J. Garcia : > An interesting article that I found: > > http://websec.wordpress.com/2012/01/04/multiple-vulnerabilities-in-apache= -struts2-and-property-oriented-programming-with-java/ > > In struts2 it is pretty easy to set attribute values of any bean field wh= en > a form is posted, even if the field is not in the form. > For instance, in my struts2 jsp form I have fields such as: > - mybean.id, hidden > - mybean.field1, > - mybean.field2 > > With Firebug, I can easily add a mybean.field3 and set it to any value wh= en > the form is posted. > > I've seen that Spring MVC has the concept of allowed fields to prevent da= ta > injection attack. How can this be done in Struts2? > > J. --------------------------------------------------------------------- To unsubscribe, e-mail: user-unsubscribe@struts.apache.org For additional commands, e-mail: user-help@struts.apache.org