Re: [OS-webwork] Security flaw with WW2

Tobias Järlund Fri, 12 Dec 2003 08:15:47 -0800

Well, this seems to go well beyond shutting down the server. I'm pretty sceptical to the idea of having parameter names interpreted as OGNL expressions at all. OGNL is just too powerful to allow anyone to execute arbitrary OGNL expressions through the URL.

Imagine what a call like http://server/[EMAIL PROTECTED]@deleteEverything().dummy= might do. Or, if the action has a getter to some interesting object, http://server/myAction.action?someProperty.persistenceManager.deleteEverything().dummy=...

/Tobias

----- Original Message ----- From: "Carlos Villela" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Friday, December 12, 2003 1:32 PM Subject: RES: [OS-webwork] Security flaw with WW2

OOOOOOUCH!

Ok, possible solutions:
- Disallow POSTs with unknown referers (sucks, but works)
- Disallow use of java.lang.System, java.lang.Runtime and friends in OGNL
(good & works)
Good catch, John!

-cv


-------------------------------------------------------
This SF.net email is sponsored by: SF.net Giveback Program.
Does SourceForge.net help you be more productive?  Does it
help you create better code?  SHARE THE LOVE, and help us help
YOU!  Click Here: http://sourceforge.net/donate/
_______________________________________________
Opensymphony-webwork mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/opensymphony-webwork

Re: [OS-webwork] Security flaw with WW2

Reply via email to