On Fri, 11 May 2001, Craig R. McClanahan wrote:
> Tomcat 4.0-beta-4 is also subject to the "...jsp%00" bug that Marc just
> fixed in 3.2.2 (patch will be committed in a second). However, the more
> serious issue is the introspection one (I can hear Costin laughing at me
> from 600 miles away :-). More on that soon.
Not quite.
The introspection problem is not very serious - it doesn't work if
sandboxing is enabled ( at least from what I know - if it works then it's
a very serious VM bug ).
If sandboxing is not enabled - a servlet can do much worse than accessing
internal objects - it has read access to all other applications and all
the permisions in the world ( read to all files that tomcat can read,
write in other application's work dir, or even change anything in most
cases ).
Of course, even with sandboxing it may be possible to find ways to get to
the internal objects ( just look at all the applet security issues in the
browsers ), and that would be really serious.
But I couldn't find the trick yet ( and it's not that important for me
since I also have the facades). And I'm not sure I'll laugh when someone
finds the trick.
Costin
