RE: [OS-webwork] Security flaw with WW2

Wed, 17 Dec 2003 08:02:58 -0800 

Why are parameter names evaluated, I don't remember?

> -----Original Message-----
> From: John Patterson [mailto:[EMAIL PROTECTED] 
> Sent: Wednesday, December 17, 2003 8:35 AM
> To: [EMAIL PROTECTED]
> Subject: Re: [OS-webwork] Security flaw with WW2
> 
> 
> I just mean the parameter name not the value.  This would 
> stop names like '@[EMAIL PROTECTED](1).dummy' from being evaluated.
> 
> ----- Original Message ----- 
> From: "Matthew E. Porter" <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> Sent: Wednesday, December 17, 2003 1:18 PM
> Subject: Re: [OS-webwork] Security flaw with WW2
> 
> 
> Would this stop people from completing forms with e-mail addresses?
> 
> 
> Cheers,
>    matthew
> 
> On Dec 17, 2003, at 4:15 AM, John Patterson wrote:
> 
> > How about disallowing any parameters containing an @ in the 
> > ParametersInterceptor?
> >
> > ----- Original Message -----
> > From: "Patrick Lightbody" <[EMAIL PROTECTED]>
> > To: <[EMAIL PROTECTED]>
> > Sent: Wednesday, December 17, 2003 3:55 AM
> > Subject: RE: [OS-webwork] Security flaw with WW2
> >
> >
> > Ouch -- great catch! Please file a jira issue and I think 
> we'll need 
> > to update the CompoundRootAccessor to only execute methods 
> after the 
> > action has been processed and we're in "view mode". I'll 
> probably put 
> > in a few other checks, like disallowing some of the super critical 
> > method calls like System.exit.
> >
> > -Pat
> >
> > -----Original Message-----
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED] 
> On Behalf Of 
> > Tim Dwelle
> > Sent: Friday, December 12, 2003 8:36 AM
> > To: [EMAIL PROTECTED]; Jason Carreira
> > Subject: RE: [OS-webwork] Security flaw with WW2
> >
> > In addition, I recommend disallowing *any* method 
> invocations (static 
> > or not) from an HTTP request.
> >
> >
> >
> >
> >
> > Quoting Jason Carreira <[EMAIL PROTECTED]>:
> >
> >> I think this is the way to go. We'll have to wait for 
> Patrick to come 
> >> in to hear his thoughts.
> >>
> >>> -----Original Message-----
> >>> From: Cameron Braid [mailto:[EMAIL PROTECTED]
> >>> Sent: Friday, December 12, 2003 10:35 AM
> >>> To: [EMAIL PROTECTED]
> >>> Subject: Re: [OS-webwork] Security flaw with WW2
> >>>
> >>>
> >>>
> >>> Surely the OGNL context that these expressions (params
> >>> interceptor) are
> >>> being executed within can be configured to disallow static
> >> invocation.
> >>>
> >>> Cameron
> >>>
> >>> Tobias Järlund wrote:
> >>>
> >>>> Well, this seems to go well beyond shutting down the server. I'm 
> >>>> pretty sceptical to the idea of having parameter names
> >>> interpreted as
> >>>> OGNL expressions at all. OGNL is just too powerful to allow
> >>> anyone to
> >>>> execute arbitrary OGNL expressions through the URL.
> >>>>
> >>>> Imagine what a call like
> >>>>
> >>> http://server/[EMAIL PROTECTED]@de
> >>> leteEverything().dummy=
> >>>> might do.
> >>>> Or, if the action has a getter to some interesting object,
> >>>>
> >>> http://server/myAction.action?someProperty.persistenceManager.
> >>> deleteEverything().dummy=...
> >>>>
> >>>>
> >>>> /Tobias
> >>>>
> >>>>> ----- Original Message ----- From: "Carlos Villela" 
> >>>>> <[EMAIL PROTECTED]>
> >>>>> To: <[EMAIL PROTECTED]>
> >>>>> Sent: Friday, December 12, 2003 1:32 PM
> >>>>> Subject: RES: [OS-webwork] Security flaw with WW2
> >>>>>
> >>>>>
> >>>>> OOOOOOUCH!
> >>>>>
> >>>>> Ok, possible solutions:
> >>>>>
> >>>>> - Disallow POSTs with unknown referers (sucks, but works)
> >>>>> - Disallow use of java.lang.System, java.lang.Runtime and
> >>> friends in
> >>>>> OGNL
> >>>>> (good & works)
> >>>>>
> >>>>> Good catch, John!
> >>>>>
> >>>>> -cv
> >>>>>
> >>>>>
> >>>>>
> >>>>
> >>>>
> >>>>
> >>>> -------------------------------------------------------
> >>>> This SF.net email is sponsored by: SF.net Giveback Program. Does
> >>
> >>>> SourceForge.net help you be more productive?  Does it help
> >>> you create
> >>>> better code?  SHARE THE LOVE, and help us help YOU!  Click Here:
> >>
> >>>> http://sourceforge.net/donate/ 
> >>>> _______________________________________________
> >>>> Opensymphony-webwork mailing list 
> >>>> [EMAIL PROTECTED]
> >>>>
> >> https://lists.sourceforge.net/lists/listinfo/opensymphony-webwork
> >>>>
> >>>
> >>>
> >>> --
> >>> Any damn fool can write code that a computer can
> >>> understand... The trick is to write code that humans can
> >>> understand. [Martin Fowler
> >>> http://www.martinfowler.com/distributedComputi>
> >> ng/refactoring.pdf]
> >>>
> >>>
> >>>
> >>>
> >>>
> >>> -------------------------------------------------------
> >>> This SF.net email is sponsored by: SF.net Giveback Program. Does 
> >>> SourceForge.net help you be more productive?  Does it help you 
> >>> create better code?  SHARE THE LOVE, and help us help YOU!  Click 
> >>> Here: http://sourceforge.net/donate/ 
> >>> _______________________________________________
> >>> Opensymphony-webwork mailing list 
> >>> [EMAIL PROTECTED]
> >>> https://lists.sourceforge.net/lists/listinfo/opensymphony-webwork
> >>>
> >>
> >>
> >> -------------------------------------------------------
> >> This SF.net email is sponsored by: SF.net Giveback Program. Does 
> >> SourceForge.net help you be more productive?  Does it help 
> you create 
> >> better code?  SHARE THE LOVE, and help us help YOU!  Click Here: 
> >> http://sourceforge.net/donate/ 
> >> _______________________________________________
> >> Opensymphony-webwork mailing list 
> >> [EMAIL PROTECTED]
> >> https://lists.sourceforge.net/lists/listinfo/opensymphony-webwork
> >>
> >
> >
> >
> >
> >
> > -------------------------------------------------------
> > This SF.net email is sponsored by: SF.net Giveback Program. Does 
> > SourceForge.net help you be more productive?  Does it help 
> you create 
> > better code?  SHARE THE LOVE, and help us help YOU!  Click Here: 
> > http://sourceforge.net/donate/ 
> > _______________________________________________
> > Opensymphony-webwork mailing list 
> > [EMAIL PROTECTED]
> > https://lists.sourceforge.net/lists/listinfo/opensymphony-webwork
> >
> >
> > -------------------------------------------------------
> > This SF.net email is sponsored by: IBM Linux Tutorials. Become an 
> > expert in LINUX or just sharpen your skills.  Sign up for IBM's
> > Free Linux Tutorials.  Learn everything from the bash shell to sys
> > admin.
> > Click now! http://ads.osdn.com/?ad_id78&alloc_id371&op=ick
> > _______________________________________________
> > Opensymphony-webwork mailing list
> > [EMAIL PROTECTED]
> > https://lists.sourceforge.net/lists/listinfo/opensymphony-webwork
> >
> >
> > -------------------------------------------------------
> > This SF.net email is sponsored by: IBM Linux Tutorials. Become an 
> > expert in LINUX or just sharpen your skills.  Sign up for IBM's
> > Free Linux Tutorials.  Learn everything from the bash shell to sys
> > admin.
> > Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
> > _______________________________________________
> > Opensymphony-webwork mailing list
> > [EMAIL PROTECTED]
> > https://lists.sourceforge.net/lists/listinfo/opensymphony-webwork
> 
> 
> 
> -------------------------------------------------------
> This SF.net email is sponsored by: IBM Linux Tutorials.
> Become an expert in LINUX or just sharpen your skills.  Sign 
> up for IBM's
> Free Linux Tutorials.  Learn everything from the bash shell 
> to sys admin.
> Click now! http://ads.osdn.com/?ad_id78&alloc_id371&op=ick
> _______________________________________________
> Opensymphony-webwork mailing list
> [EMAIL PROTECTED]
> https://lists.sourceforge.net/lists/listinfo/opensymphony-webwork
> 
> 
> -------------------------------------------------------
> This SF.net email is sponsored by: IBM Linux Tutorials.
> Become an expert in LINUX or just sharpen your skills.  Sign 
> up for IBM's
> Free Linux Tutorials.  Learn everything from the bash shell 
> to sys admin.
> Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
> _______________________________________________
> Opensymphony-webwork mailing list
> [EMAIL PROTECTED]
> https://lists.sourceforge.net/lists/listinfo/opensymphony-webwork
> 


-------------------------------------------------------
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id78&alloc_id371&op=click
_______________________________________________
Opensymphony-webwork mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/opensymphony-webwork

Reply via email to