lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Fri, 25 Jul 2003 20:29:24 +0200 (MES)
From: Marc Schoenefeld <schonef@...-muenster.de>
To: "@stake Advisories" <advisories@...take.com>
Subject: Re: Windows NT 4.0 with IBM JVM Denial of Service


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Wed, 23 Jul 2003, @stake Advisories wrote:

[..]
>
> Advisory Name: Windows NT 4.0 with IBM JVM Denial of Service
>  Release Date: 07/23/2003
>   Application: Any Java application, other applications
>                are possible attack vectors.
>      Platform: Java 2 Runtime Environment, Standard Edition
>                (build 1.3.0), Windows NT 4.0
>      Severity: Denial of service

Analysis:
Windows NT 4.0 : outdated
IBM JAVA 1.3.0 : outdated

File handling in servlets : Bad design anti-pattern (better use EJB)



> Recommendation:
>
> Java developers should identify all occurances and perform data
> validation where java.io.getCanonicalPath is used.

- - That does not help if the getCanonicalPath is used in a
  library that is not available in source code. You might
  have to use a decompiler or use a tool that searches for
  nested calls to such routines. I have written such a tool if
  you like to use it contact me via email.

- - But generally: Developers should think about system design that does not
  base on direct file access in the web-tier (least function principle).

>
> NT 4.0 Administrators running servers which use Java servlets
> should consider installing the Microsoft supplied patch.

- - DEPLOYERS should update their JVM (if their code
  does not use proprietary IBM stuff) to an uptodate JVM like
  Sun JRE 1.4.1_03.

Cheers
Marc
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (AIX)
Comment: For info see http://www.gnupg.org

iD8DBQE/IXcHqCaQvrKNUNQRAhbZAJwKjg+jSAOceGRehLaZO1HhET6UygCeN1kc
53vU1gWicAZObo19fSWjxbc=
=DLEd
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ