cocoon-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Robin Green" <gree...@hotmail.com>
Subject RE: Cocoon and HTTP POST
Date Sat, 09 Sep 2000 20:54:12 GMT
>Well, not automatically, but it was actually too easy: I added (e.g.
>exposed) the ProducerFromRequest producer to cocoon.properties and then
>POSTed to any XSP with the added query 'producer=request'. This streamed 
>the
>XML from the request body (POST with Content-Type "text/xml") back out to
>the client. Note: it didn't look at the XSP file the URL referred to _at
>all_.
>
>There were two problems.
>
>Of course, this should be considered unsafe: someone could potentially POST
>XSP code that ran on the server if they added a <?cocoon-process
>type="xsp"?> line, etc.

Exactly. This is why the ProducerFromRequest has been removed from 1.8-dev, 
and why we recommend everyone else stop using it too.

As for your requirements, I recommend you read in the XML from the XSP page 
instead, using request.getReader () IIRC and the xspParser object, but put 
it all inside a wrapper element. It should be quite simple. That way you 
won't be so vulnerable to Java attacks, because the XSP stage of the 
pipeline will already be completing when the request data is inserted. In 
fact I don't think any malicious code could be executed that way.

>
>To test that, I did exactly that, expecting the XSP I sent to be executed.
>Instead, it then executed the XSP of the file from the URL, not the XSP I
>sent. Seems to me that C1 is not really respecting the producer I selected
>completely, somehow there's a file producer in there too.

Actually it's the stored Java class that is causing the exploit to fail. 
Crackers can still exploit ProducerFromRequest by finding an XSP page that 
hasn't yet been compiled since it was last changed, or a non-XSP page that 
hasn't yet been accessed since the last cocoon restart (it can still be made 
into an XSP page in the request). If they have a partial exploit which 
enables them to touch files, even the above wouldn't be necessary to run 
arbitrary Java code.

Well, there's no point in hiding this any longer - I'm going to write a 
security advisory.


_________________________________________________________________________
Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com.

Share information about yourself, create your own public profile at 
http://profiles.msn.com.


Mime
View raw message