Return-Path: Delivered-To: apmail-jakarta-tomcat-dev-archive@apache.org Received: (qmail 90304 invoked from network); 9 Oct 2002 18:52:37 -0000 Received: from unknown (HELO nagoya.betaversion.org) (192.18.49.131) by daedalus.apache.org with SMTP; 9 Oct 2002 18:52:37 -0000 Received: (qmail 23425 invoked by uid 97); 9 Oct 2002 18:53:20 -0000 Delivered-To: qmlist-jakarta-archive-tomcat-dev@jakarta.apache.org Received: (qmail 23407 invoked by uid 97); 9 Oct 2002 18:53:19 -0000 Mailing-List: contact tomcat-dev-help@jakarta.apache.org; run by ezmlm Precedence: bulk List-Unsubscribe: List-Subscribe: List-Help: List-Post: List-Id: "Tomcat Developers List" Reply-To: "Tomcat Developers List" Delivered-To: mailing list tomcat-dev@jakarta.apache.org Received: (qmail 23395 invoked by uid 98); 9 Oct 2002 18:53:19 -0000 X-Antivirus: nagoya (v4218 created Aug 14 2002) Subject: Re: [Proposal] Security Audit From: Bob Herrmann To: Tomcat Developers List In-Reply-To: <3DA341CE.503@apache.org> References: <3DA2C0E7.6000505@apache.org> <3DA341CE.503@apache.org> Content-Type: text/plain Organization: Message-Id: <1034189528.2010.135.camel@hue.jadn.com> Mime-Version: 1.0 X-Mailer: Ximian Evolution 1.1.1 (Preview Release) Date: 09 Oct 2002 14:52:08 -0400 Content-Transfer-Encoding: 7bit X-Spam-Rating: daedalus.apache.org 1.6.2 0/1000/N X-Spam-Rating: daedalus.apache.org 1.6.2 0/1000/N FYI, Just to start off, I am going to review these classes. If someone else also reviews them, thats probably a good thing... # classes, package name 17 o.a.c.deploy 9 o.a.c.users 44 o.a.c.* 34 o.a.jk.* 15 j.s.http Briefly, I am going to look for - How/if a ClassLoader is used - privilege blocks (are they small, use trusted values) - look for non-final static variables (can they be abused) - can methods/fields be made private? - are mutable objects returned to caller (especially arrays) think about returning clones - non final equals/hashcode methods? (accessing sensitive stuff?) - Serializable (exposes private stuff?) Does anyone publish a security checklist list like this? Blah Blah, -bob On Tue, 2002-10-08 at 16:36, Jean-Francois Arcand wrote: > Hi, > > I'm looking to do a Security Audit on the current Tomcat 5.0 codebase. I > would like to collect as more as information as where you think I should > look at (code, security hole, etc.). I'm planning to do the audit using > the default SecurityManager. Rigth now, I have started looking at: > > - doPrivilege blocks. Are they small enough? Can they be reduced? > - JSP generated code. Are they secure? Can a malicious app uses the code > to access o.a.catalina code? > - Is catalina.policy restricted enough? > - Is our Classloader secure? > > Any direction/ideas/recommendations will be appreciated. > > Thanks, > > -- Jeanfrancois > > > -- > To unsubscribe, e-mail: > For additional commands, e-mail: -- Bob Herrmann -- To unsubscribe, e-mail: For additional commands, e-mail: