-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Wed, 23 Jul 2003, @stake Advisories wrote: [..] > > Advisory Name: Windows NT 4.0 with IBM JVM Denial of Service > Release Date: 07/23/2003 > Application: Any Java application, other applications > are possible attack vectors. > Platform: Java 2 Runtime Environment, Standard Edition > (build 1.3.0), Windows NT 4.0 > Severity: Denial of service Analysis: Windows NT 4.0 : outdated IBM JAVA 1.3.0 : outdated File handling in servlets : Bad design anti-pattern (better use EJB) > Recommendation: > > Java developers should identify all occurances and perform data > validation where java.io.getCanonicalPath is used. - - That does not help if the getCanonicalPath is used in a library that is not available in source code. You might have to use a decompiler or use a tool that searches for nested calls to such routines. I have written such a tool if you like to use it contact me via email. - - But generally: Developers should think about system design that does not base on direct file access in the web-tier (least function principle). > > NT 4.0 Administrators running servers which use Java servlets > should consider installing the Microsoft supplied patch. - - DEPLOYERS should update their JVM (if their code does not use proprietary IBM stuff) to an uptodate JVM like Sun JRE 1.4.1_03. Cheers Marc -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (AIX) Comment: For info see http://www.gnupg.org iD8DBQE/IXcHqCaQvrKNUNQRAhbZAJwKjg+jSAOceGRehLaZO1HhET6UygCeN1kc 53vU1gWicAZObo19fSWjxbc= =DLEd -----END PGP SIGNATURE-----
