You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@avalon.apache.org by "Noel J. Bergman" <no...@devtech.com> on 2003/02/22 06:54:30 UTC

SystemManager not optional -- not to mention a security violation

According to the kernel.xml provided to James last Fall, it was optional to
have a system manager.  We just found out that MX4JSystemManager provides an
undocumented backdoor (at least only available from localhost) to violate
application security.  The immediate response was to follow the
documentation and comment out the entire block.  That results in the
exception below.  Replacing the MX4JSystemManager with the NoopSystemManager
fixed the problem.

Is this a known and fixed defect?

It would have been nice if the vulnerabilities created by MX4JSystemManager
had been documented, other than possibly somewhere in the archives of a
mailing list.  Enabling it by default is probably NOT a good idea, and the
kernel.xml section should have alot more information.

	--- Noel

--------------------------------
Using PHOENIX_HOME:   /home/noel/jakarta/jakarta-james-v2/dist/james-2.1.2
Using PHOENIX_TMPDIR:
/home/noel/jakarta/jakarta-james-v2/dist/james-2.1.2/temp
Using JAVA_HOME:      /usr/local/java
Running Phoenix:

Phoenix 4.0.1

There was an uncaught exception:
---------------------------------------------------------
--- Message ---
Unable to provide implementation for
org.apache.avalon.phoenix.interfaces.SystemManager
(Role='org.apache.avalon.phoenix.interfaces.SystemManager')
--- Stack Trace ---
org.apache.avalon.framework.service.ServiceException: Unable to provide
implementation for org.apache.avalon.phoenix.interfaces.SystemManager
(Role='org.apache.avalon.phoenix.interfaces.SystemManager')
        at
org.apache.avalon.framework.service.DefaultServiceManager.lookup(DefaultServ
iceManager.java:72)
        at
org.apache.avalon.phoenix.components.kernel.DefaultKernel.service(DefaultKer
nel.java:76)
        at
org.apache.avalon.framework.container.ContainerUtil.service(ContainerUtil.ja
va:134)
        at
org.apache.avalon.phoenix.components.embeddor.DefaultEmbeddor.setupComponent
(DefaultEmbeddor.java:528)
        at
org.apache.avalon.phoenix.components.embeddor.DefaultEmbeddor.setupComponent
s(DefaultEmbeddor.java:507)
        at
org.apache.avalon.phoenix.components.embeddor.DefaultEmbeddor.initialize(Def
aultEmbeddor.java:200)
        at
org.apache.avalon.framework.container.ContainerUtil.initialize(ContainerUtil
.java:235)
        at
org.apache.avalon.phoenix.frontends.CLIMain.startup(CLIMain.java:194)
        at
org.apache.avalon.phoenix.frontends.CLIMain.execute(CLIMain.java:122)
        at
org.apache.avalon.phoenix.frontends.CLIMain.main(CLIMain.java:102)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39
)
        at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl
.java:25)
        at java.lang.reflect.Method.invoke(Method.java:324)
        at org.apache.avalon.phoenix.launcher.Main.startup(Main.java:94)
        at org.apache.avalon.phoenix.launcher.Main.main(Main.java:46)

---------------------------------------------------------
The log file may contain further details of error.
Please check the configuration files and restart Phoenix.
If the problem persists, contact the Avalon project.  See
http://jakarta.apache.org/avalon for more information.


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@avalon.apache.org
For additional commands, e-mail: dev-help@avalon.apache.org