RE: [OS-webwork] Security flaw with WW2

Tue, 16 Dec 2003 21:05:15 -0800 

Ouch -- great catch! Please file a jira issue and I think we'll need to
update the CompoundRootAccessor to only execute methods after the action
has been processed and we're in "view mode". I'll probably put in a few
other checks, like disallowing some of the super critical method calls
like System.exit.

-Pat

-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
Tim Dwelle
Sent: Friday, December 12, 2003 8:36 AM
To: [EMAIL PROTECTED]; Jason Carreira
Subject: RE: [OS-webwork] Security flaw with WW2

In addition, I recommend disallowing *any* method invocations (static 
or not) from an HTTP request.





Quoting Jason Carreira <[EMAIL PROTECTED]>:

> I think this is the way to go. We'll have to wait for Patrick to come
> in to hear his thoughts.
> 
> > -----Original Message-----
> > From: Cameron Braid [mailto:[EMAIL PROTECTED] 
> > Sent: Friday, December 12, 2003 10:35 AM
> > To: [EMAIL PROTECTED]
> > Subject: Re: [OS-webwork] Security flaw with WW2
> > 
> > 
> > 
> > Surely the OGNL context that these expressions (params 
> > interceptor) are 
> > being executed within can be configured to disallow static
> invocation.
> > 
> > Cameron
> > 
> > Tobias Järlund wrote:
> > 
> > > Well, this seems to go well beyond shutting down the server. I'm
> > > pretty sceptical to the idea of having parameter names 
> > interpreted as 
> > > OGNL expressions at all. OGNL is just too powerful to allow 
> > anyone to 
> > > execute arbitrary OGNL expressions through the URL.
> > >
> > > Imagine what a call like
> > > 
> > http://server/[EMAIL PROTECTED]@de
> > leteEverything().dummy= 
> > > might do.
> > > Or, if the action has a getter to some interesting object, 
> > > 
> > http://server/myAction.action?someProperty.persistenceManager.
> > deleteEverything().dummy=... 
> > >
> > >
> > > /Tobias
> > >
> > >> ----- Original Message ----- From: "Carlos Villela"
> > >> <[EMAIL PROTECTED]>
> > >> To: <[EMAIL PROTECTED]>
> > >> Sent: Friday, December 12, 2003 1:32 PM
> > >> Subject: RES: [OS-webwork] Security flaw with WW2
> > >>
> > >>
> > >> OOOOOOUCH!
> > >>
> > >> Ok, possible solutions:
> > >>
> > >> - Disallow POSTs with unknown referers (sucks, but works)
> > >> - Disallow use of java.lang.System, java.lang.Runtime and 
> > friends in
> > >> OGNL
> > >> (good & works)
> > >>
> > >> Good catch, John!
> > >>
> > >> -cv
> > >>
> > >>  
> > >>
> > >
> > >
> > >
> > > -------------------------------------------------------
> > > This SF.net email is sponsored by: SF.net Giveback Program. Does
> 
> > > SourceForge.net help you be more productive?  Does it help 
> > you create 
> > > better code?  SHARE THE LOVE, and help us help YOU!  Click Here:
> 
> > > http://sourceforge.net/donate/ 
> > > _______________________________________________
> > > Opensymphony-webwork mailing list 
> > > [EMAIL PROTECTED]
> > >
> https://lists.sourceforge.net/lists/listinfo/opensymphony-webwork
> > >
> > 
> > 
> > -- 
> > Any damn fool can write code that a computer can 
> > understand... The trick is to write code that humans can 
> > understand. [Martin Fowler 
> > http://www.martinfowler.com/distributedComputi>
> ng/refactoring.pdf]
> > 
> > 
> > 
> > 
> > 
> > -------------------------------------------------------
> > This SF.net email is sponsored by: SF.net Giveback Program. 
> > Does SourceForge.net help you be more productive?  Does it 
> > help you create better code?  SHARE THE LOVE, and help us 
> > help YOU!  Click Here: http://sourceforge.net/donate/ 
> > _______________________________________________
> > Opensymphony-webwork mailing list 
> > [EMAIL PROTECTED]
> > https://lists.sourceforge.net/lists/listinfo/opensymphony-webwork
> > 
> 
> 
> -------------------------------------------------------
> This SF.net email is sponsored by: SF.net Giveback Program.
> Does SourceForge.net help you be more productive?  Does it
> help you create better code?  SHARE THE LOVE, and help us help
> YOU!  Click Here: http://sourceforge.net/donate/
> _______________________________________________
> Opensymphony-webwork mailing list
> [EMAIL PROTECTED]
> https://lists.sourceforge.net/lists/listinfo/opensymphony-webwork
> 





-------------------------------------------------------
This SF.net email is sponsored by: SF.net Giveback Program.
Does SourceForge.net help you be more productive?  Does it
help you create better code?  SHARE THE LOVE, and help us help
YOU!  Click Here: http://sourceforge.net/donate/
_______________________________________________
Opensymphony-webwork mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/opensymphony-webwork


-------------------------------------------------------
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id78&alloc_id371&op=click
_______________________________________________
Opensymphony-webwork mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/opensymphony-webwork

Reply via email to