tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Glenn Nielsen <gl...@voyager.apg.more.net>
Subject Re: cvs commit: jakarta-tomcat-4.0/catalina/src/conf web.xml
Date Sun, 14 Oct 2001 19:42:45 GMT
Using -security and a properly configured catalina.policy can help protect you.

But the jar files for these servlets should be relocated outside of the
server/lib directory to make it easier to grant a different security policy
to these servlets from the core of catalina.

Regards,

Glenn

costinm@covalent.net wrote:
> 
> On Fri, 12 Oct 2001, Bip Thelin wrote:
> 
> > > -----Original Message-----
> > > From: Remy Maucherat [mailto:rmaucher1@home.com]
> > >
> > > > Very good.
> > > >
> > > > Now SSI - it also seem to allow executing arbitrary exe :-)
> > > >
> > > > BTW, make sure SSIExec is not included in any jar file -
> > > otherwise the
> > > > hacker will just use it ( no need for the servlet, it's a bit more
> > > > difficult to exploit than the cgi servlet, but still disables the
> > > sandbox )
> > >
> > > The helpers are in the SSI JAR, so removing it should solve
> > > the problem.
> > >
> > > Anything else ?
> >
> > Wouldn't it be a better solution to add an option to disable ssi exec
> > that would be disabled by default instead of disabling the whole
> > package?
> 
> As long as you leave SSIServlet ( or any other servlet ) installed any
> webapp can declare it - and then use it. When the servlet is
> executed it'll be called directly by the server, with AllPermissions ( since no
> 'user' code would be in the calling path ). The sandbox can't protect
> against things happening outside the box.
> 
> It is possible to add code to 'downgrade' the permissions before calling
> any servlet, but that could prevent other 'trusted' servlets from
> operating. And should be properly designed, it's not trivial.
> 
> Costin

-- 
----------------------------------------------------------------------
Glenn Nielsen             glenn@more.net | /* Spelin donut madder    |
MOREnet System Programming               |  * if iz ina coment.      |
Missouri Research and Education Network  |  */                       |
----------------------------------------------------------------------

Mime
View raw message