cocoon-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Sylvain Wallez <sylv...@apache.org>
Subject Re: variable substitution in @type attributes
Date Wed, 04 Feb 2004 16:30:17 GMT
Nicolas Toper wrote:

>Yes that's how you can hack a lot of PHP servers (yes I was young ;=))
>  
>

Yep it's way easier in PHP (the infamous include injection in PHPNuke)!

>Le Mercredi 04 Février 2004 17:11, Sylvain Wallez a écrit :
>  
>
>>Jorg Heymans wrote:
>>    
>>
>>>>Moreover, the use case shows a component type coming directly for the
>>>>request URI, which is a giant door open to "component injection" by
>>>>providing a value for the type that is not in the expected values and
>>>>executes arbitrary code on the server.
>>>>        
>>>>
>>>Wooo hold on here, what you just described sounds a bit like a buffer
>>>overflow type of exploit, a bit of overkill i think.
>>>
>>>Granted, if i can
>>>1) upload my component
>>>2) reload/restart the servlet container
>>>3) get my components initialize() to run
>>>
>>>then i'm in business. But how feasible is this? Worst case would be if
>>>the user configured fileuploads to go to web-inf/lib or
>>>web-inf/classes but then you're in trouble anyway because i'll upload
>>>my custom servlet class that overwrites the cocoon servlet.
>>>
>>>Understanding your concerns, but needing a higher than extremely
>>>unlikely and isolated usecase,
>>>      
>>>
>>That's not unlikely and doesn't require uploading classes. Consider the
>>following:
>><map:match pattern="*-*.html">
>>  <map:generate src="repository/{1}.xml" type="file"/>
>>  <map:transform type="{2}"/>
>>  <map:serialize type="html"/>
>></map:match>
>>
>>Now suppose we're in a CMS and that the user can upload the initial xml
>>file. What if {2}, which is expected to be "foo" or "bar" is set to
>>"jxtemplate"? The uploaded file iss interpreted and can then execute
>>arbitrary code on the server!
>>
>>Does this sound so unlikely?
>>
>>Sylvain
>>    
>>

-- 
Sylvain Wallez                                  Anyware Technologies
http://www.apache.org/~sylvain           http://www.anyware-tech.com
{ XML, Java, Cocoon, OpenSource }*{ Training, Consulting, Projects }
Orixo, the opensource XML business alliance  -  http://www.orixo.com



Mime
View raw message