> to the secure side, setting some session variables, and doing
> a redirect back to the nonsecure side. I wanted to try doing
> it with the following line of code (thinking that maybe a
> serverside redirect would bypass the pop up warning about
> leaving a secure site) (Note: I don't even know if what
> I'm trying to do would work and if the session variables
> would get set before it forwarded, etc. but I could easily
> figure that out if I could test it)
>
> <cfscript>
> getPageContext().forward(form.redirect);
> </cfscript>
>
> Here's their concern:
> The Java snippet that you have concerns me. While I understand
> its purpose, it exposes a potential threat. For example, if I
> knew the relative path to your admin pages, I could call a
> change password utility for users and execute the code.
>
> Is this valid? If so, how would you go about preventing that
> from happening?
Well, actually, there is a potential problem with your code snippet,
although it's not really specific to the use of Java. You're taking input
from a form and simply using it without validating it first. What would
happen if the user specified an invalid value for form.redirect? In
practice, this specific issue probably wouldn't be that big of a problem,
assuming that you couldn't crash the server with invalid data, and that if
the user specified a value that corresponded to a valid file path that you
didn't want the user to be able to access, you would probably have security
in place within that URL to prevent access anyway.
Are your server administrators concerned about untrustworthy developers, or
untrustworthy users? If it's the former, they're in for a world of hurt,
since it's hard to protect systems from the developers building them. If
it's the latter, they simply need to ensure that best practices of web
application development security and deployment are followed, whatever
server-side language you use. One of those best practices is to validate any
input from the client before using it within your program.
As Matt pointed out, there are plenty of Java web applications around, and
if your server administrators were right about server-side Java code being a
threat by itself, the logical conclusion would be that none of these
applications could be secured.
Dave Watts, CTO, Fig Leaf Software
http://www.figleaf.com/
phone: 202-797-5496
fax: 202-797-5444
[Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
