On 08/11/2015 19:13, James Carman wrote: > If they can execute Runtime.exec then they can execute System.setProperty
Yes. But the point you seem to seem to be missing is that if the system property is set such that this attack is blocked, they can't use the attack to change the system property and unblock it. Mark > On Sun, Nov 8, 2015 at 2:11 PM James Carman <ja...@carmanconsulting.com> > wrote: > >> System.setProperty() >> >> >> On Sun, Nov 8, 2015 at 2:10 PM Thomas Neidhart <thomas.neidh...@gmail.com> >> wrote: >> >>> On 11/08/2015 07:51 PM, James Carman wrote: >>>> Couldn't they use the same attack vector to set a system property also? >>> I >>>> do believe that would be possible >>> >>> for this you need a way to execute code via a de-serialized class. >>> Right now, the simplest way to do so is via the InvokerTransformer. >>> >>> There are surely other ways to do so, but if the only available way is >>> blocked (i.e. InvokerTransformer can not be deserialized), a remote >>> attacker cannot set a system property via this attack vector. >>> >>> btw. setting a system property can also be restricted by a >>> SecurityManager. >>> >>> I am -1 on a programmatic interface, and for the 4.X branch I propose to >>> remove the serialization support completely. >>> >>> Thomas >>> >>> --------------------------------------------------------------------- >>> To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org >>> For additional commands, e-mail: dev-h...@commons.apache.org >>> >>> > --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org For additional commands, e-mail: dev-h...@commons.apache.org
