Hi All,
I act as administrator on a Redhat 7.1 system running Jrun 3.1 with the
Sun JRE. I've spotted some security issues, which I could use some
advice on.
Firstly, our site specification requires a file upload section. I've
just confirmed that it's possible to upload a JSP file, and have its
code interpreted by Jrun. Not good at all. 8-( My preferred fix is
to have the uploads go into their own directory, which Jrun is
configured *not* to execute files from. Does anyone know a way to
exclude a sub-tree in this way? I've examined the configuration
section of Drew Falkman's book, but can't see anything relevant.
The second really relates to the JRE. It will insist on running as
user 'root.' Who'd have thought that of Sun? It's not like they are
UN*X newbies, after all. I've tried setting the java executable to be
suid 'apache,' but then it fails to run due to not finding an essential
library. A long search of the Web only brought up files about the need
to install as root, nothing about preventing it from running as him.
The potential of those two vulnerabilities together is *quite*
unnerving.
Does anyone know of a solution to either problem?
TIA
--
David Spacey
[EMAIL PROTECTED]
- Re: JSP security issues David Spacey
- Re: JSP security issues Dan Tran
- RE: JSP security issues Dave Watts