Ok will create a Jira and take it up. Sent from my iPhone
> On Sep 13, 2017, at 11:00 AM, Gang(Gary) Wang <[email protected]> wrote: > > Sure and please also point out which need to be fixed if possible, Thanks! > >> On Wed, Sep 13, 2017 at 10:52 AM, Debojyoti Dutta <[email protected]> wrote: >> >> Thanks Gary for the insightful thread. Maybe run our code base against a >> threat ID tool? >> >> Debo >> >> Sent from my iPhone >> >>> On Sep 13, 2017, at 10:14 AM, Gang(Gary) Wang <[email protected]> wrote: >>> >>> One of our contributors told me that this breach is related to a >>> serialized object that Mnemonic has tried to avoid as below >>> >>> "However, “for either vulnerability, the process is basically the same. >> The >>> attacker sends a specific HTTP request containing some special syntax. >> In >>> one case, an OGNL expression. In the other, a serialized object,” he >> said >>> in comments emailed to SC Media. “The Equifax Struts application would >>> receive this request, and get tricked into executing operating system >>> commands.” >>> >>> The attacker can then “use these to take over the entire box – do >> anything >>> the application can do,” Williams said. “So, they probably stole the >>> database credentials out of the application, ran some queries, and then >>> exfiltrated the data to some server they control on the internet.”" >>> >>> https://www.scmagazine.com/apache-struts-vulnerability- >> likely-behind-equifax-breach-congress-launches-probes/article/687955/ >>> >>> IMHO, from the technical view point, Mnemonic has nothing about how to >>> interact with UI layer. Theoretically, Mnemonic's linked durable objects >>> could be transferred between different layers to avoid SerDe, user code >>> makes use of those durable object for their own business logics. >>> >>> Regarding the Durable Query Model (DQM), it has not yet been fully >>> implemented, we need to consider any possible injection and provide the >>> proper measure to prevent potential breaches. >>> >>> Thanks! >>
