The JVM allows one security policy, so you'd have to fine tune a policy file and ensure that it doesn't cause your appserver to become upset. Some servers have their own policy files that need to be tweaked, others will need one from scratch.
On Dec 12, 2003, at 8:45 AM, BOGAERT Mathias wrote:
Well, we are not all up to date on Java security policies, but since you
seem to be, care to enlighten us?
Thanks, Mathias
-----Original Message----- From: John Patterson [mailto:[EMAIL PROTECTED] Sent: vrijdag 12 december 2003 14:42 To: [EMAIL PROTECTED] Subject: Re: [OS-webwork] Security flaw with WW2
Time to brush up on Java security policies.
----- Original Message ----- From: "Carlos Villela" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Friday, December 12, 2003 1:32 PM Subject: RES: [OS-webwork] Security flaw with WW2
OOOOOOUCH!
Ok, possible solutions:
- Disallow POSTs with unknown referers (sucks, but works)
- Disallow use of java.lang.System, java.lang.Runtime and friends in OGNL
(good & works)
Good catch, John!
-cv
-----Mensagem original----- De: John Patterson [mailto:[EMAIL PROTECTED] Enviada em: sexta-feira, 12 de dezembro de 2003 11:24 Para: Webwork Assunto: [OS-webwork] Security flaw with WW2
Guess what this does?
<html>
<body>
<form method="post" action=http://myhost/app/myAction.action>
<input name="@[EMAIL PROTECTED](1).dummy" value=""/> </form> </body>
</html>
John.
-------------------------------------------------------
This SF.net email is sponsored by: SF.net Giveback Program. Does
SourceForge.net help you be more productive? Does it help you create better
code? SHARE THE LOVE, and help us help YOU! Click Here:
http://sourceforge.net/donate/
_______________________________________________
Opensymphony-webwork mailing list [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/opensymphony-webwork
-------------------------------------------------------
This SF.net email is sponsored by: SF.net Giveback Program. Does
SourceForge.net help you be more productive? Does it help you create better
code? SHARE THE LOVE, and help us help YOU! Click Here:
http://sourceforge.net/donate/
_______________________________________________
Opensymphony-webwork mailing list [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/opensymphony-webwork
-------------------------------------------------------
This SF.net email is sponsored by: SF.net Giveback Program. Does
SourceForge.net help you be more productive? Does it help you create better
code? SHARE THE LOVE, and help us help YOU! Click Here:
http://sourceforge.net/donate/
_______________________________________________
Opensymphony-webwork mailing list [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/opensymphony-webwork
------------------------------------------------------- This SF.net email is sponsored by: SF.net Giveback Program. Does SourceForge.net help you be more productive? Does it help you create better code? SHARE THE LOVE, and help us help YOU! Click Here: http://sourceforge.net/donate/ _______________________________________________ Opensymphony-webwork mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/opensymphony-webwork
------------------------------------------------------- This SF.net email is sponsored by: SF.net Giveback Program. Does SourceForge.net help you be more productive? Does it help you create better code? SHARE THE LOVE, and help us help YOU! Click Here: http://sourceforge.net/donate/ _______________________________________________ Opensymphony-webwork mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/opensymphony-webwork
