tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Walker Joe <>
Subject JSP hole?
Date Tue, 25 Jul 2000 14:10:16 GMT

I hope this is just a known hole that isn't publicised enough ..

Very simple JSP page that contains a form to enter a name:

<%@ page import="test.*" %>
<jsp:useBean id="example" scope="page" class="test.Example" />
<jsp:setProperty name="example" property="*" />

<input type="text" name="name" size="30">
<input type="submit" value="Submit">


And a Bean that it works with:

package test;
public class Example
    public void setName(String name) { = name; debug(); }
    public String getName() { return name; }
    public void setPassword(String pass) { this. pass = pass; debug(); }
    public String getPassword() { return pass; }
    private String name;
    private String pass;
    private void debug()

The danger is that using the following URL:


I can edit the password field as well as the name field.

The real problem is <jsp:setProperty name="example" property="*" />

Is this well known?


Legal Disclaimer:-

Please be aware that messages sent over
the Internet may not be secure and should
not be seen as forming a legally binding
contract unless otherwise stated.

View raw message