tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From <cost...@covalent.net>
Subject RE: cvs commit: jakarta-tomcat-4.0/catalina/src/conf web.xml
Date Fri, 12 Oct 2001 21:20:04 GMT
On Fri, 12 Oct 2001, Bip Thelin wrote:

> > -----Original Message-----
> > From: Remy Maucherat [mailto:rmaucher1@home.com]
> >
> > > Very good.
> > >
> > > Now SSI - it also seem to allow executing arbitrary exe :-)
> > >
> > > BTW, make sure SSIExec is not included in any jar file -
> > otherwise the
> > > hacker will just use it ( no need for the servlet, it's a bit more
> > > difficult to exploit than the cgi servlet, but still disables the
> > sandbox )
> >
> > The helpers are in the SSI JAR, so removing it should solve
> > the problem.
> >
> > Anything else ?
>
> Wouldn't it be a better solution to add an option to disable ssi exec
> that would be disabled by default instead of disabling the whole
> package?

As long as you leave SSIServlet ( or any other servlet ) installed any
webapp can declare it - and then use it. When the servlet is
executed it'll be called directly by the server, with AllPermissions ( since no
'user' code would be in the calling path ). The sandbox can't protect
against things happening outside the box.

It is possible to add code to 'downgrade' the permissions before calling
any servlet, but that could prevent other 'trusted' servlets from
operating. And should be properly designed, it's not trivial.

Costin


Mime
View raw message