吕宋平 wrote on 05/22/13 01:18:
>
> Hi, Bill:
>
> Cc: asarch_ww members, Security team:
>
>
>
> Yes, the one pager which have been approved to the wiki didn't take care
> such security problem. The change can cause the server to access files and
> network resources that the administrator might not be able to access directly.
> But I think this security issue is only happen in the file:// syntax.
>
> I think both of the administrator and server can access the source file
> and network resource when it comes to the http:// syntax and ftp:// syntax, so
> I think it is no need to take care the security into consideration when it
> comes to these situation.
>
The ability to access it might depend on what IP address is being used, which
will be different between the client and the server.
You also have to be sure that the server isn't going to use any HTTP
authentication when accessing the resource since the client might not have
permission to use that authentication information stored on the server.
> [For Example]
>
> A: glassfish server
>
> B: glassfish server
>
> C: ftp server
>
> D: http server
>
>
>
> (1) Deploy the application from the machine B(Regard A as a admin client
> side, Regard B as a server side)
>
> Execute the command line on the machine A as “asadmin deployuri --host
> host_address_B file:///etc/appname <file://etc/appname>”, It's true that
> administrator A can't access the application exist on the machine B, but the
> application will be deployed to the B through this command, the administrator
> of A only know the application name but don't know what exist in the
> application. I don't think it will affect so much to the security.
>
>
>
> (2) Deploy the application from the machine C
>
> Execute the command line on the machine A as “asadmin deployuri
> ftp://username:password@host_C:21/appname
> <ftp://username:password@host_c/appname>”, I think both of the administrator
> and server side on the machine A can access the application exist on the ftp
> server C. I think it's no need to take the security into consideration here
> because both of the administrator and server can access the source file.
>
>
>
> (3) Deploy the application from the machine D
>
> Execute the command line on the machine A as “asadmin deployuri
> http://host_address_D/appname <http://host_address_d/appname>”, I think both
> of the administrator and server side on the machine A can access the
> application exist on the http server D. I think it's no need to take the
> security into consideration here because both of the administrator and server
> can access the source file.
>
>
>
> >Perhaps I'm being paranoid but I'd like to see some discussion about the
> security implications of being able to tell >the server to access resources
> that you might not be able to access directly. Certainly the check for
> filename >extensions will help, but you still need to be sure to handle cases
> such as "file:///etc/passwd?name=foo.ear".
> I'm not sure about the file:// syntax
> "file:///etc/passwd?name=foo.ear". Could you clarify about this?
If you just look at the end of the string to see if it ends with ".ear", you'll
think that name is ok. But it's not. It actually accesses the /etc/passwd file.
> I don't think the change will affect the security too much. So I hope you and
> the security team's will list more questions and discussion here.
Yes, I really want to hear more from our security experts.