On 02/15/2011 09:59 AM, Shanahan Pete wrote:
All of the structures laying on top of the basic string-number parsing
assume that the parsing works.
If it's broken then repeatedly fixing the issue in frameworks is not
going to address the issue, it is merely going to defer it.
I completely
On 02/15/2011 11:38 AM, Jim Manico wrote:
[snip[
Ryan Barnett just spit out a new (impressive) mod security rule so you
can tactically patch without touching code (see below).
[snip]
First step is to inspect the ARGS and REQUEST_HEADERS data using a regex
to match on potential floating point
I would assume just about any app with a shopping cart does. This is of course
compounded by libraries like struts and spring mvc that autobind your form
variables for you. Use a form with a double in it and your boned.
Sent from my iPwn
On Feb 14, 2011, at 8:57 AM, Wall, Kevin
[chrisisb...@gmail.com]
Sent: Tuesday, February 15, 2011 12:06 AM
To: Wall, Kevin
Cc: Jim Manico; Rafal Los; sc-l@securecoding.org
Subject: Re: [SC-L] Java DOS
This communication is the property of Qwest and may contain confidential or
privileged information. Unauthorized use
Anger growing
string - number.
it breaks,
deal with it, and move on.
why is this a problem again?
On 15 Feb 2011, at 05:06, Chris Schmidt wrote:
I would assume just about any app with a shopping cart does. This is of
course compounded by libraries like struts and spring mvc that
Jim Manico wrote...
Rafal,
It's not that tough to blacklist this vuln while you are waiting for your
team to patch your JVM (IBM and other JVM's have not even patched yet).
I've seen three generations of this filter already. Walk with me, Rafal and
I'll show you. :)
1) Generation 1 WAF
Rafal,
It's not that tough to blacklist this vuln while you are waiting for your team
to patch your JVM (IBM and other JVM's have not even patched yet). I've seen
three generations of this filter already. Walk with me, Rafal and I'll show
you. :)
1) Generation 1 WAF rule (reject one number
There's a very interesting vulnerability in Java kicking around. I wrote about
it here:
http://blog.fortify.com/blog/2011/02/08/Double-Trouble
In brief, you can send Java (and some versions of PHP) into an infinite loop if
you can provide some malicious input that will be parsed as a