Sure and please also point out which need to be fixed if possible, Thanks! On Wed, Sep 13, 2017 at 10:52 AM, Debojyoti Dutta <[email protected]> wrote:
> Thanks Gary for the insightful thread. Maybe run our code base against a > threat ID tool? > > Debo > > Sent from my iPhone > > > On Sep 13, 2017, at 10:14 AM, Gang(Gary) Wang <[email protected]> wrote: > > > > One of our contributors told me that this breach is related to a > > serialized object that Mnemonic has tried to avoid as below > > > > "However, “for either vulnerability, the process is basically the same. > The > > attacker sends a specific HTTP request containing some special syntax. > In > > one case, an OGNL expression. In the other, a serialized object,” he > said > > in comments emailed to SC Media. “The Equifax Struts application would > > receive this request, and get tricked into executing operating system > > commands.” > > > > The attacker can then “use these to take over the entire box – do > anything > > the application can do,” Williams said. “So, they probably stole the > > database credentials out of the application, ran some queries, and then > > exfiltrated the data to some server they control on the internet.”" > > > > https://www.scmagazine.com/apache-struts-vulnerability- > likely-behind-equifax-breach-congress-launches-probes/article/687955/ > > > > IMHO, from the technical view point, Mnemonic has nothing about how to > > interact with UI layer. Theoretically, Mnemonic's linked durable objects > > could be transferred between different layers to avoid SerDe, user code > > makes use of those durable object for their own business logics. > > > > Regarding the Durable Query Model (DQM), it has not yet been fully > > implemented, we need to consider any possible injection and provide the > > proper measure to prevent potential breaches. > > > > Thanks! >
