The Source for Java Technology Collaboration
User: Password:
Register | Login help    

Search

Online Books:
java.net on MarkMail:

Carol McDonald

As a Java Technology Evangelist at Sun Microsystems, Carol McDonald has spoken at various conferences including JavaOne, Java University, Sun Tech Days, Sun Network, Sun Code Camps, JDJEdge, and JUGs including Machester, Boston, Maine, Cologne, FAA, Richmond, Memphis, D.C... Carol blogs about the latest technologies that she is speaking about at http://weblogs.java.net/blog/caroljmcdonald/. Before returning to Sun in 2007, Carol worked 2 1/2 yrs as an Architect on massive OLTP Spring/hibernate application to manage > 10 mill loans for the consumer credit division of a leading automoblile manufacturer and a leading bank. Before joining Sun the first time in 1999 Carol worked on Pharmaceutical Intranet applications for Roche in Switzerland, a Telecom Network Management Application for Digital (now HP) in France, a X.400 Email Server for IBM in Germany, and as a student intern for the National Security Agency. Carol holds a M.S. in Computer Science from the University of Tennessee, a B.S. in Geology from Vanderbilt University, and is a Sun Certified Java Architect and Java Language Programmer. Carol is also Fluent in French and German.

 

Carol McDonald's blog

OWASP Top 10 number 3: Malicious File Execution

Posted by caroljmcdonald on October 8, 2009 at 9:31 AM PDT

 

Number 3 in the Top 10 most critical web application security vulnerabilities identified by the Open Web Application Security Project (OWASP) is Malicious File Execution, which occurs when attacker's files are executed or processed by the web server. This can happen when an input filename is compromised or an uploaded file is improperly trusted.

Examples

  • file is accepted from the user without validating content
  • filename is accepted from the user
In the example below a file name is accepted from the user and appended to the server's filesystem path. 
// get the absolute file path on the server's filesystem 
String dir = servlet.getServletContext().getRealPath("/ebanking")
// get input file name
String file = request.getParameter(“file”); 
//  Create a new File instance from pathname string   
File f = new File((dir + "\\" + file).replaceAll("\\\\", "/"));


If the filename was compromised to  ../../web.xml , it might allow access to web server properties

Malicious File Execution can result in:

  • files loaded from another server and executed within the context of the web server
  • modifying paths to gain access to directories on the web server
  • malicious scripts put into a directory with inadequate access controls

Protecting against Malicious File Execution

  • the Java EE Security Manager should be properly configured to not allow access to files outside the web root.
  • do not allow user input to influence the path name for server resources
    • Inspect code containing a file open, include, create, delete...
  • firewall rules should prevent new outbound connections to external web sites or internally back to any other server. Or isolate the web server in a private subnet
  • Upload files to a destination outside of the web application directory.
    • Enable virus scan on the destination directory.

Java specific Protecting against Malicious File Exection

Use the OWASP ESAPI  HTTPUtilities interface:

  • The ESAPI HTTPUtilities interface is a collection of methods that provide additional security related to HTTP requests, responses, sessions, cookies, headers, and logging.

    The HTTPUtilities getSafeFileUploads method uses the Apache Commons FileUploader to parse the multipart HTTP request and extract any files therein
    public class HTTPUtilities 

    public void getSafeFileUploads(java.io.File tempDir,
                               java.io.File finalDir)
                        throws ValidationException

References and More Information:


»
Related Topics >> Blogs      Java Enterprise      
Comments
Comments are listed in date ascending order (oldest first)

JPA but unrelated to this entry

Submitted by saturon on Wed, 2009-10-21 12:41.
Sorry this is completely unrelated to you post but since you are an expert I just be so free;) : Can you maybe tell me the intrinsic reasons why in the JPA 1.0 EntityManager when retrieving an Object via find, you have to deal with null if not found, but when using the Query interface via createQuery getResultList throws a NoResultException when not found. Maybe i am missing something but I feel its very inconsistent for a Language, and actually I had to do a lot of redesing because of changing from a simple finder to a more fine grained query using the query interface. Thanks Ben
Syndicate content




 

Feedback  | FAQ  | Press | Terms of Use
Privacy  |  Trademarks | Site Map
 
Your use of this web site or any of its content or software indicates your agreement to be bound by these Terms of Participation.
 
Copyright © 1995-2008 Sun Microsystems, Inc.
Collabnet Logo Cognisync Communities
Powered by Sun Microsystems, Inc.,
CollabNet and Cognisync