FYI, Just to start off, I am going to review these classes. If someone else also reviews them, thats probably a good thing...
# classes, package name 17 o.a.c.deploy 9 o.a.c.users 44 o.a.c.* 34 o.a.jk.* 15 j.s.http Briefly, I am going to look for - How/if a ClassLoader is used - privilege blocks (are they small, use trusted values) - look for non-final static variables (can they be abused) - can methods/fields be made private? - are mutable objects returned to caller (especially arrays) think about returning clones - non final equals/hashcode methods? (accessing sensitive stuff?) - Serializable (exposes private stuff?) Does anyone publish a security checklist list like this? Blah Blah, -bob On Tue, 2002-10-08 at 16:36, Jean-Francois Arcand wrote: > Hi, > > I'm looking to do a Security Audit on the current Tomcat 5.0 codebase. I > would like to collect as more as information as where you think I should > look at (code, security hole, etc.). I'm planning to do the audit using > the default SecurityManager. Rigth now, I have started looking at: > > - doPrivilege blocks. Are they small enough? Can they be reduced? > - JSP generated code. Are they secure? Can a malicious app uses the code > to access o.a.catalina code? > - Is catalina.policy restricted enough? > - Is our Classloader secure? > > Any direction/ideas/recommendations will be appreciated. > > Thanks, > > -- Jeanfrancois > > > -- > To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> > For additional commands, e-mail: <mailto:[EMAIL PROTECTED]> -- Bob Herrmann <[EMAIL PROTECTED]> -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>