JSP security issues
Hi All, I act as administrator on a Redhat 7.1 system running Jrun 3.1 with the Sun JRE. I've spotted some security issues, which I could use some advice on. Firstly, our site specification requires a file upload section. I've just confirmed that it's possible to upload a JSP file, and have its code interpreted by Jrun. Not good at all. 8-( My preferred fix is to have the uploads go into their own directory, which Jrun is configured *not* to execute files from. Does anyone know a way to exclude a sub-tree in this way? I've examined the configuration section of Drew Falkman's book, but can't see anything relevant. The second really relates to the JRE. It will insist on running as user 'root.' Who'd have thought that of Sun? It's not like they are UN*X newbies, after all. I've tried setting the java executable to be suid 'apache,' but then it fails to run due to not finding an essential library. A long search of the Web only brought up files about the need to install as root, nothing about preventing it from running as him. The potential of those two vulnerabilities together is *quite* unnerving. Does anyone know of a solution to either problem? TIA -- David Spacey [EMAIL PROTECTED]
RE: JSP security issues
Firstly, our site specification requires a file upload section. I've just confirmed that it's possible to upload a JSP file, and have its code interpreted by Jrun. Not good at all. 8-( My preferred fix is to have the uploads go into their own directory, which Jrun is configured *not* to execute files from. Does anyone know a way to exclude a sub-tree in this way? I've examined the configuration section of Drew Falkman's book, but can't see anything relevant. I think this would be a matter of Apache configuration. I'm more familiar with IIS; in IIS, you can disable the use of scripts and/or executables within a single directory from within the IIS management console. I'm very sure you can do the same in Apache, but I'm not 100% sure how you'd do it. I suspect you might do something like this: Directory /var/www/somedirectory Options None /Directory You might want to read the Apache documentation for more details, or a more correct answer. If this works for you, please let me know. The second really relates to the JRE. It will insist on running as user 'root.' Who'd have thought that of Sun? It's not like they are UN*X newbies, after all. I've tried setting the java executable to be suid 'apache,' but then it fails to run due to not finding an essential library. A long search of the Web only brought up files about the need to install as root, nothing about preventing it from running as him. I don't have a clue about that. Sorry. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ voice: (202) 797-5496 fax: (202) 797-5444 ~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=8 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribeforumid=8 Your ad could be here. Monies from ads go to support these lists and provide more resources for the community. http://www.fusionauthority.com/ads.cfm
Re: JSP security issues
The root security issue has been addressed in JRUN 4 -D - Original Message - From: David Spacey [EMAIL PROTECTED] To: JRun-Talk [EMAIL PROTECTED] Sent: Monday, January 13, 2003 7:03 AM Subject: JSP security issues Hi All, I act as administrator on a Redhat 7.1 system running Jrun 3.1 with the Sun JRE. I've spotted some security issues, which I could use some advice on. Firstly, our site specification requires a file upload section. I've just confirmed that it's possible to upload a JSP file, and have its code interpreted by Jrun. Not good at all. 8-( My preferred fix is to have the uploads go into their own directory, which Jrun is configured *not* to execute files from. Does anyone know a way to exclude a sub-tree in this way? I've examined the configuration section of Drew Falkman's book, but can't see anything relevant. The second really relates to the JRE. It will insist on running as user 'root.' Who'd have thought that of Sun? It's not like they are UN*X newbies, after all. I've tried setting the java executable to be suid 'apache,' but then it fails to run due to not finding an essential library. A long search of the Web only brought up files about the need to install as root, nothing about preventing it from running as him. The potential of those two vulnerabilities together is *quite* unnerving. Does anyone know of a solution to either problem? TIA -- David Spacey [EMAIL PROTECTED] ~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=8 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribeforumid=8 Your ad could be here. Monies from ads go to support these lists and provide more resources for the community. http://www.fusionauthority.com/ads.cfm