On 11/08/2015 09:11 PM, James Carman wrote: > How did we get to the point where someone could invoke arbitrary bytecode?
Take a look at class TemplatesImpl in com.sun.org.apache.xalan.internal.xsltc.trax which is part of the oracle and openjdk jre. It is serializable and can load so called Translets which are stored as byte[] and will be loaded once the newTransformer method is invoked. So an attacker can store byte code in the array of a serialized TemplatesImpl object and force its execution via the InvokerTransformer. Thomas --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org For additional commands, e-mail: dev-h...@commons.apache.org