river-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Simon IJskes - QCG <si...@qcg.nl>
Subject Re: Release 3.0, package rename and ServiceProxyAccessor
Date Wed, 06 Jan 2016 17:53:26 GMT
On 06-01-16 18:49, Simon IJskes - QCG wrote:
> On 06-01-16 13:38, Peter wrote:
>> Your security analysis is too narrow, your thinking like a user, not
>> an attacker.
>> An attacker is not going to send you a proxy to load into a standalone
>> Classloader.  She has the choice of the entire classpath, not you and
>> not River, that's right it's the senders choice, not the receivers.
>> She's looking for vulnerable classes on your classpath.
>> ObjectInputStream will load the attackers instructions. There's no
>> protection domain on the  stack representing the attacker, the
>> attacker is looking to deserialize into privileged context, the
>> attacker wants AllPermission.  This all occurs before your remote
>> method call even returns.  Once the the attacker has privileges, she
>> can create her own URLClassLoader grant AllPermission to her
>> downloaded code, install her own security manager.
> https://cwe.mitre.org/data/definitions/502.html


Has a number of secure coding recomendations.


QCG, Software development, 071-5890970, http://www.qcg.nl
Quality Consultancy Group b.v., Leiderdorp, Kvk Den Haag: 28088397

View raw message