R
Rogan Dawes
Hi,
I was performing a security review of a web application, and encountered
a form where the class to use to format a report was specified as a form
variable.
i.e. the code was doing
Class.forName(userInput).newInstance();
In my mind, this could be open to abuse. The "attacker" could tell the
app server to create an instance of ANY class he chooses, so long as
that class exists on the class path.
In this particular case, the app server was Tomcat 4.
Can anyone think of a way that this ability could be exploited to gain
additional access to the system?
e.g. reading or writing a file, opening a network connection, starting
up a new servlet, etc?
Looking at it logically, I don't think that it is SUCH a big deal. But
then, I don't know all the classes that exist by default on a Tomcat
classpath.
If anyone could prove me wrong, that would be good! ;-)
Regards,
Rogan
I was performing a security review of a web application, and encountered
a form where the class to use to format a report was specified as a form
variable.
i.e. the code was doing
Class.forName(userInput).newInstance();
In my mind, this could be open to abuse. The "attacker" could tell the
app server to create an instance of ANY class he chooses, so long as
that class exists on the class path.
In this particular case, the app server was Tomcat 4.
Can anyone think of a way that this ability could be exploited to gain
additional access to the system?
e.g. reading or writing a file, opening a network connection, starting
up a new servlet, etc?
Looking at it logically, I don't think that it is SUCH a big deal. But
then, I don't know all the classes that exist by default on a Tomcat
classpath.
If anyone could prove me wrong, that would be good! ;-)
Regards,
Rogan