Re: [OS-webwork] Security flaw with WW2

[Matthew E . Porter]

Would this stop people from completing forms with e-mail addresses?

Cheers,
  matthew
On Dec 17, 2003, at 4:15 AM, John Patterson wrote:

How about disallowing any parameters containing an @ in the
ParametersInterceptor?
----- Original Message -----
From: "Patrick Lightbody" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Wednesday, December 17, 2003 3:55 AM
Subject: RE: [OS-webwork] Security flaw with WW2
Ouch -- great catch! Please file a jira issue and I think we'll need to
update the CompoundRootAccessor to only execute methods after the 
action
has been processed and we're in "view mode". I'll probably put in a few
other checks, like disallowing some of the super critical method calls
like System.exit.

-Pat

-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
Tim Dwelle
Sent: Friday, December 12, 2003 8:36 AM
To: [EMAIL PROTECTED]; Jason Carreira
Subject: RE: [OS-webwork] Security flaw with WW2
In addition, I recommend disallowing *any* method invocations (static
or not) from an HTTP request.




Quoting Jason Carreira <[EMAIL PROTECTED]>:

I think this is the way to go. We'll have to wait for Patrick to come
in to hear his thoughts.
-----Original Message-----
From: Cameron Braid [mailto:[EMAIL PROTECTED]
Sent: Friday, December 12, 2003 10:35 AM
To: [EMAIL PROTECTED]
Subject: Re: [OS-webwork] Security flaw with WW2


Surely the OGNL context that these expressions (params
interceptor) are
being executed within can be configured to disallow static
invocation.
Cameron

Tobias Järlund wrote:

Well, this seems to go well beyond shutting down the server. I'm
pretty sceptical to the idea of having parameter names
interpreted as
OGNL expressions at all. OGNL is just too powerful to allow
anyone to
execute arbitrary OGNL expressions through the URL.

Imagine what a call like

http://server/[EMAIL PROTECTED]@de
leteEverything().dummy=
might do.
Or, if the action has a getter to some interesting object,
http://server/myAction.action?someProperty.persistenceManager.
deleteEverything().dummy=...


/Tobias

----- Original Message ----- From: "Carlos Villela"
<[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Friday, December 12, 2003 1:32 PM
Subject: RES: [OS-webwork] Security flaw with WW2
OOOOOOUCH!

Ok, possible solutions:

- Disallow POSTs with unknown referers (sucks, but works)
- Disallow use of java.lang.System, java.lang.Runtime and
friends in
OGNL
(good & works)
Good catch, John!

-cv





-------------------------------------------------------
This SF.net email is sponsored by: SF.net Giveback Program. Does

SourceForge.net help you be more productive?  Does it help
you create
better code?  SHARE THE LOVE, and help us help YOU!  Click Here:

http://sourceforge.net/donate/
_______________________________________________
Opensymphony-webwork mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/opensymphony-webwork



--
Any damn fool can write code that a computer can
understand... The trick is to write code that humans can
understand. [Martin Fowler
http://www.martinfowler.com/distributedComputi>
ng/refactoring.pdf]




-------------------------------------------------------
This SF.net email is sponsored by: SF.net Giveback Program.
Does SourceForge.net help you be more productive?  Does it
help you create better code?  SHARE THE LOVE, and help us
help YOU!  Click Here: http://sourceforge.net/donate/
_______________________________________________
Opensymphony-webwork mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/opensymphony-webwork


-------------------------------------------------------
This SF.net email is sponsored by: SF.net Giveback Program.
Does SourceForge.net help you be more productive?  Does it
help you create better code?  SHARE THE LOVE, and help us help
YOU!  Click Here: http://sourceforge.net/donate/
_______________________________________________
Opensymphony-webwork mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/opensymphony-webwork




-------------------------------------------------------
This SF.net email is sponsored by: SF.net Giveback Program.
Does SourceForge.net help you be more productive?  Does it
help you create better code?  SHARE THE LOVE, and help us help
YOU!  Click Here: http://sourceforge.net/donate/
_______________________________________________
Opensymphony-webwork mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/opensymphony-webwork
-------------------------------------------------------
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for 
IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys 
admin.
Click now! http://ads.osdn.com/?ad_id78&alloc_id371&op=ick
_______________________________________________
Opensymphony-webwork mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/opensymphony-webwork

-------------------------------------------------------
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for 
IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys 
admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
_______________________________________________
Opensymphony-webwork mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/opensymphony-webwork


-------------------------------------------------------
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id78&alloc_id371&op=click
_______________________________________________
Opensymphony-webwork mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/opensymphony-webwork