I can't think of anything more boring and tedious (bug fixing?) but I am
willing to help. Maybe we should divide up the classes.
Cheers,
-bob
On Tue, 2002-10-08 at 16:36, Jean-Francois Arcand wrote:
Hi,
I'm looking to do a Security Audit on the current Tomcat 5.0 codebase. I
would
I'm looking to do a Security Audit on the current Tomcat 5.0 codebase. I
would like to collect as more as information as where you think I should
look at (code, security hole, etc.). I'm planning to do the audit using
the default SecurityManager. Rigth now, I have started looking at:
FYI, Just to start off, I am going to review these classes. If
someone else also reviews them, thats probably a good thing...
# classes, package name
17 o.a.c.deploy
9 o.a.c.users
44 o.a.c.*
34 o.a.jk.*
15 j.s.http
Briefly, I am going to look for
- How/if a ClassLoader is used
- privilege
AFAIK, the most important check is doPriviledged(). What we need
to look for is if any of those blocks could be used by
untrusted code to do something.
The second very important check is the facades - making sure
untrusted code can't get access to the real objects.
We should also make sure
Costin Manolache wrote:
AFAIK, the most important check is doPriviledged(). What we need
to look for is if any of those blocks could be used by
untrusted code to do something.
The second very important check is the facades - making sure
untrusted code can't get access to the real
The more who review/audit tomcat for security, the better. :-)
Comments intermixed below.
Jean-Francois Arcand wrote:
Hi,
I'm looking to do a Security Audit on the current Tomcat 5.0 codebase. I
would like to collect as more as information as where you think I should
look at (code,
Hi,
I'm looking to do a Security Audit on the current Tomcat 5.0 codebase. I
would like to collect as more as information as where you think I should
look at (code, security hole, etc.). I'm planning to do the audit using
the default SecurityManager. Rigth now, I have started looking at:
-