commons-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Thomas Neidhart <thomas.neidh...@gmail.com>
Subject Re: [collection][security] InvokerTransformer missused in java object serialisation exploits
Date Sun, 08 Nov 2015 19:31:31 GMT
On 11/08/2015 08:20 PM, James Carman wrote:
> I think this entire thing can be prevented with a security manager and a
> proper policy in place. Nobody does that, though

You cannot prevent the use of reflection for public methods via a
SecurityManager.

If you then look at the different provided payloads you can see that an
attacker can inject arbitrary bytecode that is being loaded.

How would you prevent that such code is able to do anything harmful,
especially considering that it is being executed in the security context
of some trusted component?

Thomas

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
For additional commands, e-mail: dev-help@commons.apache.org


Mime
View raw message