Is this an issue with Webwork 1.4 as well? Blake
----- Original Message ----- From: "BOGAERT Mathias" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Friday, December 12, 2003 9:06 AM Subject: RE: [OS-webwork] Security flaw with WW2 > FYI you can find information on how to do this for WebLogic 8.1 here: > http://edocs.bea.com/wls/docs81/security/server_prot.html#1032262 > > Mathias > > -----Original Message----- > From: Hani Suleiman [mailto:[EMAIL PROTECTED] > Sent: vrijdag 12 december 2003 14:56 > To: [EMAIL PROTECTED] > Subject: Re: [OS-webwork] Security flaw with WW2 > > > It's not as easy as it sounds. > > The JVM allows one security policy, so you'd have to fine tune a policy > file and ensure that it doesn't cause your appserver to become upset. > Some servers have their own policy files that need to be tweaked, > others will need one from scratch. > > On Dec 12, 2003, at 8:45 AM, BOGAERT Mathias wrote: > > > Well, we are not all up to date on Java security policies, but since > > you > > seem to be, care to enlighten us? > > > > Thanks, > > Mathias > > > > -----Original Message----- > > From: John Patterson [mailto:[EMAIL PROTECTED] > > Sent: vrijdag 12 december 2003 14:42 > > To: [EMAIL PROTECTED] > > Subject: Re: [OS-webwork] Security flaw with WW2 > > > > > > Time to brush up on Java security policies. > > > > ----- Original Message ----- > > From: "Carlos Villela" <[EMAIL PROTECTED]> > > To: <[EMAIL PROTECTED]> > > Sent: Friday, December 12, 2003 1:32 PM > > Subject: RES: [OS-webwork] Security flaw with WW2 > > > > > > OOOOOOUCH! > > > > Ok, possible solutions: > > > > - Disallow POSTs with unknown referers (sucks, but works) > > - Disallow use of java.lang.System, java.lang.Runtime and friends in > > OGNL > > (good & works) > > > > Good catch, John! > > > > -cv > > > > -----Mensagem original----- > > De: John Patterson [mailto:[EMAIL PROTECTED] > > Enviada em: sexta-feira, 12 de dezembro de 2003 11:24 > > Para: Webwork > > Assunto: [OS-webwork] Security flaw with WW2 > > > > > > Guess what this does? > > > > <html> > > <body> > > <form method="post" action=http://myhost/app/myAction.action> > > <input name="@[EMAIL PROTECTED](1).dummy" value=""/> </form> > > </body> > > </html> > > > > John. > > > > > > ------------------------------------------------------- > > This SF.net email is sponsored by: SF.net Giveback Program. Does > > SourceForge.net help you be more productive? Does it help you create > > better code? SHARE THE LOVE, and help us help YOU! Click Here: > > http://sourceforge.net/donate/ > > _______________________________________________ > > Opensymphony-webwork mailing list > > [EMAIL PROTECTED] > > https://lists.sourceforge.net/lists/listinfo/opensymphony-webwork > > > > > > ------------------------------------------------------- > > This SF.net email is sponsored by: SF.net Giveback Program. Does > > SourceForge.net help you be more productive? Does it help you create > > better code? SHARE THE LOVE, and help us help YOU! Click Here: > > http://sourceforge.net/donate/ > > _______________________________________________ > > Opensymphony-webwork mailing list > > [EMAIL PROTECTED] > > https://lists.sourceforge.net/lists/listinfo/opensymphony-webwork > > > > > > ------------------------------------------------------- > > This SF.net email is sponsored by: SF.net Giveback Program. Does > > SourceForge.net help you be more productive? Does it help you create > > better code? SHARE THE LOVE, and help us help YOU! Click Here: > > http://sourceforge.net/donate/ > > _______________________________________________ > > Opensymphony-webwork mailing list > > [EMAIL PROTECTED] > > https://lists.sourceforge.net/lists/listinfo/opensymphony-webwork > > > > > > ------------------------------------------------------- > > This SF.net email is sponsored by: SF.net Giveback Program. Does > > SourceForge.net help you be more productive? Does it help you create > > better code? SHARE THE LOVE, and help us help YOU! Click Here: > > http://sourceforge.net/donate/ > > _______________________________________________ > > Opensymphony-webwork mailing list > > [EMAIL PROTECTED] > > https://lists.sourceforge.net/lists/listinfo/opensymphony-webwork > > > > > > ------------------------------------------------------- > This SF.net email is sponsored by: SF.net Giveback Program. Does > SourceForge.net help you be more productive? Does it help you create better > code? SHARE THE LOVE, and help us help YOU! Click Here: > http://sourceforge.net/donate/ > _______________________________________________ > Opensymphony-webwork mailing list [EMAIL PROTECTED] > https://lists.sourceforge.net/lists/listinfo/opensymphony-webwork > > > ------------------------------------------------------- > This SF.net email is sponsored by: SF.net Giveback Program. > Does SourceForge.net help you be more productive? Does it > help you create better code? SHARE THE LOVE, and help us help > YOU! Click Here: http://sourceforge.net/donate/ > _______________________________________________ > Opensymphony-webwork mailing list > [EMAIL PROTECTED] > https://lists.sourceforge.net/lists/listinfo/opensymphony-webwork > > > ------------------------------------------------------- This SF.net email is sponsored by: SF.net Giveback Program. Does SourceForge.net help you be more productive? Does it help you create better code? SHARE THE LOVE, and help us help YOU! Click Here: http://sourceforge.net/donate/ _______________________________________________ Opensymphony-webwork mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/opensymphony-webwork
