tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Glenn Nielsen <>
Subject Re: What Do We Do With The User's Classpath?
Date Fri, 14 Jul 2000 12:29:27 GMT
Paul Speed wrote:
>         Applets are not trusted because you are letting an unknown
> entity into your local machine.  Web apps are different because the
> only way the web app is going to get there is from a user that has
> permissions to add that app.  Logged in to their account they probably
> have access to do more damage then a web server would provide their
> servlets.

I strongly agree with Costin.

The whole concept of a web app is that it is a self contained application
you can just drop in your webapps dir.  Very few web publishers would have the
skill/knowledge to analyze an entire web app for security.  This puts
the burden of security on the user installing web apps instead of
where it should be, with the system admin.  This is especially the
case for web hosting.  As a sys admin I would prefer to install a
servlet container which implements the Java SecurityManager and
configure security for it once, rather than having to evaluate each
inidividual web application for security.

My biggest concern are trojan web apps that capture information about
the system the trojan is running on and sends it out to a remote
site where that information can be used to try and compromise the system.
Or how about a web app that is designed to trigger a DoS attack against
another system at a specific date/time.

Remember that the Tomcat code is freely available for anyone to
use to try and find ways to compromise a system's security.

>         So it must be server corruption/disruption that you are
> worried about.  From that standpoint, I could easily write a web
> app that could DoS attack the server just by doing a while(true); in
> the init method.

Yes, DoS are harder to protect against.  But this is an internal DoS,
the person doing it has already passed one hurdle, permission to publish
web applications to the server.

Glenn Nielsen    | /* Spelin donut madder    |
MOREnet System Programming               |  * if iz ina coment.      |
Missouri Research and Education Network  |  */                       |

View raw message