tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Bob Herrmann <...@jadn.com>
Subject Re: [Proposal] Security Audit
Date Wed, 09 Oct 2002 18:52:08 GMT
FYI, Just to start off, I am going to review these classes.  If
someone else also reviews them, thats probably a good thing...

# classes, package name

17 o.a.c.deploy
9  o.a.c.users
44 o.a.c.*
34 o.a.jk.*
15 j.s.http

Briefly, I am going to look for
 - How/if a ClassLoader is used
 - privilege blocks (are they small, use trusted values)
 - look for non-final static variables (can they be abused)
 - can methods/fields be made private?
 - are mutable objects returned to caller (especially arrays)
   think about returning clones
 - non final equals/hashcode methods? (accessing sensitive stuff?)
 - Serializable (exposes private stuff?)

Does anyone publish a security checklist list like this?

Blah Blah,
-bob


On Tue, 2002-10-08 at 16:36, Jean-Francois Arcand wrote:
> Hi,
> 
> I'm looking to do a Security Audit on the current Tomcat 5.0 codebase. I 
> would like to collect as more as information as where you think I should 
> look at (code, security hole, etc.). I'm planning to do the audit using 
> the default SecurityManager. Rigth now, I have started looking at:
> 
> - doPrivilege blocks. Are they small enough? Can they be reduced?
> - JSP generated code. Are they secure? Can a malicious app uses the code 
> to access o.a.catalina code?
> - Is catalina.policy restricted enough?
> - Is our Classloader secure?
> 
> Any direction/ideas/recommendations will be appreciated.
> 
> Thanks,
> 
> -- Jeanfrancois
> 
> 
> --
> To unsubscribe, e-mail:   <mailto:tomcat-dev-unsubscribe@jakarta.apache.org>
> For additional commands, e-mail: <mailto:tomcat-dev-help@jakarta.apache.org>
-- 
Bob Herrmann <bob@jadn.com>


--
To unsubscribe, e-mail:   <mailto:tomcat-dev-unsubscribe@jakarta.apache.org>
For additional commands, e-mail: <mailto:tomcat-dev-help@jakarta.apache.org>


Mime
View raw message