cocoon-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Geoff Howard <coc...@leverageweb.com>
Subject Re: cocoon-view as possible security problem?
Date Fri, 21 Mar 2003 12:57:31 GMT
At 07:39 AM 3/21/2003, you wrote:
>>By the way, I think there are bigger security problems in cocoon...
>
>Don't be shy and speak out loud :)
>What do have you in mind exactly?
>--
>Torsten

Sorry - wasn't being shy, just trying to be quick and didn't have time to 
get fully into that fully right now (nor to fix what I mention ATM).  For 
starters though there's this:

http://nagoya.apache.org/bugzilla/show_bug.cgi?id=14286 (SQL injection in 
DatabaseAuthenicatorAction )

Also, is cocoon-reload still enabled by default?  seems a wget in a loop 
with ?cocoon-reload=true could put a site in a world of hurt... (by the 
way, last time I checked Jetty/Cocoon cvs is barfing on that..)

I've worked on the multipart file uploads because I felt the original 
status posed security/abuse issues.  It's now at a better point but I think 
there are still some issues I'm not (at an RF level) convinced are 
OK.  IIRC the default is now to allow "in-memory" uploads only which is a 
step better.

I also should have said security "questions" at this stage, because I 
haven't had time to really dig into the nagging questions I've had in some 
areas.  I'll do so and get back.

One I'd really like to look into is places where directory traversal could 
be successful, depending on your matchers.

OK, gotta get back to work - I'm in the middle of a launch.

Geoff 


Mime
View raw message