[JWebUnit-users] FW : JWebUnit: JavaScript Execution Security Problem

Sat, 06 Feb 2010 11:34:57 -0800 

Hi all JWebUnit users,

It seems there is a security issue when using JWebUnit to access malicious web 
site (see details below). Latest HtmlUnit version seems to be unaffected so I 
suggest people using JWebUnit to crawl random pages to update to latest 
JWebUnit from SVN trunk.

Regards,

Julien



----- Message transféré ----
> De : Matthias -apoc- Hecker <a...@sixserv.org>
> À : henr...@users.sourceforge.net
> Envoyé le : Dim 31 Janvier 2010, 21 h 10 min 48 s
> Objet : JWebUnit: JavaScript Execution Security Problem
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Dear Julien Henry,
> 
> i'm writing to inform you about a security problem that occurred to me
> in jwebunit 2.2. The problem is the possibility to use any java standard
> library by arbitrary javascript that is executed by jwebunit. The
> following HTML/JS is an example for this:
> 
>   < script type="text/javascript" >
>     var run = java.lang.Runtime.getRuntime();
>     run.exec('/usr/bin/xclock');
>   < /script >
> 
> This problem is originally by using the Rhino JavaScript library wrong,
> without changing the default execution Context, however the library
> htmlunit seems not to be affected by this/or is already fixed(tested 2.6).
> 
> I had planned to make this problem public on the 8th February 2010.
> Please inform me if you need more time to adress this problem.
> 
> 
> Yours Sincerely
> 
> Matthias -apoc- Hecker
> - --
> (a) (p)roof (o)f (c)oncept ..
>   http://apoc.sixserv.org/
> 
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.10 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
> 
> iEYEARECAAYFAktl48gACgkQWlhozqFVuMvX5gCfSYm6w0d0BjZxDBKHTGw9kSp8
> ak4AmwTJqXcTOgSGAJ7zWwxP1FkVgB+5
> =Lcgs
> -----END PGP SIGNATURE-----



      

------------------------------------------------------------------------------
The Planet: dedicated and managed hosting, cloud storage, colocation
Stay online with enterprise data centers and the best network in the business
Choose flexible plans and management services without long-term contracts
Personal 24x7 support from experience hosting pros just a phone call away.
http://p.sf.net/sfu/theplanet-com
_______________________________________________
JWebUnit-users mailing list
JWebUnit-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/jwebunit-users

Reply via email to