On Thu, Jul 29, 2010 at 04:28:23PM +1000, Daniel Pittman wrote: > dave b <db.pub.m...@gmail.com> writes: > >>> soon. /me mutters something about OH MY THEY ESCAPED FROM THE JVM. > >> > >> Do you have a reference for that? > > > > Here is a recent example :) > > http://blog.cr0.org/2009/05/write-once-own-everyone.html > > You can finder older examples as well :) > > Thanks. That saves me searching around to try and find the same information > myself. :)
I like this one that Dave gave me on irc: http://www.securiteam.com/securitynews/5YP381520Y.html It's not a breakout, but it's a way of compromising a server jvm, which then (at least potentially) lets you use the breakout techniques on that jvm. So yeah everything suggested here is incremental security and only gives brittle shells of isolation. Here's another measure: mod_security (http://www.modsecurity.org/) You should also follow recommendations such as give at the Open Web Application Security Project (http://www.owasp.org/) -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
