view.getClass().forName('java.lang.Runtime'). - 2010 - Ruxcon

More documents

Recommendations

Info

CVE-2010-1871Special HTTP parameter controlled where browsershould be redirected after an action (actionOutcome)If supplied URL started with / and contained HTTPparameters all JBoss EL expressions in parametervalues are executed:/seam?actionOutcome=/p.xhtml%3fpwned%3d%23{expr}Thursday, November 25, 2010
CVE-2010-1871 exploitHow to execute OS commands via JBoss EL?can’t reference java.lang.Runtime directly, sinceresolvers won’t know how to resolve ‘java’Reflection!!!Every Object has Class getClass()And Class has Class forName(String), whichreturns class based on supplied name:view.getClass.forName('java.lang.Runtime')Thursday, November 25, 2010
Page 1 and 2:
Milking a horseorexecuting remote c
Page 3 and 4:
kumys is a fermented dairy productt
Page 5 and 6:
Thursday, November 25, 2010...back
Page 7 and 8:
Plain old servletpublic class MySer
Page 9 and 10:
Problemsa lot of verbose boilerplat
Page 11 and 12:
user code complexityframework code
Page 13 and 14: How secure are these Java framework
Page 15 and 16: ApproachUse IDE (e.g. IntelliJ IDEA
Page 17 and 18: Look at how frameworkimplements its
Page 19 and 20: Nifty featuresRich taglibrary (e.g.
Page 21 and 22: Nifty featuresuser.address.city = B
Page 23 and 24: HTTP parameters == OGNL statementsW
Page 25 and 26: CVE-2010-1870Based on my previous b
Page 27 and 28: XW-641('\u0023' + 'session[\'user\'
Page 29 and 30: XW-641('\u0023' + 'session[\'user\'
Page 31 and 32: CVE-2010-1870There are actually mor
Page 33 and 34: CVE-2010-1870#context[‘xwork.Meth
Page 35 and 36: CVE-2010-1870 exploit#_memberAccess
Page 41 and 42: CVE-2010-1870 fix2.2.1 fixes vulner
Page 43 and 44: SpringSpring MVC is Spring’s web
Page 45 and 46: BeanInfo getBeanInfo(Class beanClas
Page 47 and 48: Introspector.getBeanInfo(Person);fi
Page 49 and 50: Introspector.getBeanInfo(Person);fi
Page 51 and 52: CVE-2010-1622Two problems:How do we
Page 53 and 54: InputTag.tagThursday, November 25,
Page 55 and 56: CVE-2010-1622 exploitDownload org.s
Page 57 and 58: Thursday, November 25, 2010JBoss Se
Page 59 and 60: JBoss SeamCombines EJB3 with JSFPOJ
Page 61 and 62: CVE-2010-1871Special HTTP parameter
Page 63: CVE-2010-1871Special HTTP parameter
Page 67 and 68: CVE-2010-1871 exploitview.getClass.
Page 69 and 70: CVE-2010-1871 exploitview.getClass.
Page 71 and 72: CVE-2010-1871 exploitTo call java.l
Page 73 and 74: How do we get method’s index?/sea
Page 75 and 76: CVE-2010-1871 exploitMethod for Run
Page 77 and 78: CVE-2010-1871 exploit/seam-booking/
Page 79 and 80: Thursday, November 25, 2010
Page 83 and 84: What’s Java security manager?Sing
Page 85 and 86: Thursday, November 25, 2010Are you
Page 87 and 88: Why is nobody’s using it?Thursday
Page 89 and 90: Problems (cont.)Support for privile
Page 91 and 92: How do we solve these?*Thursday, No
Page 93 and 94: ProsWill address some of the perfor
Page 95 and 96: Where’s the code?Alpha version wi
show all

view.getClass().forName('java.lang.Runtime'). - 2010 - Ruxcon

Create successful ePaper yourself

Delete template?

Save as template?