Difference between revisions of "Invoking untrusted mobile code"

From OWASP
Jump to: navigation, search
 
(Examples)
Line 45: Line 45:
 
In Java:
 
In Java:
  
 +
<pre>
 
URL[] classURLs= new URL[]{new URL("file:subdir/")};
 
URL[] classURLs= new URL[]{new URL("file:subdir/")};
 
URLClassLoader loader = nwe URLClassLoader(classURLs);
 
URLClassLoader loader = nwe URLClassLoader(classURLs);
Class loadedClass = Class.forName("loadMe", true, loader);  
+
Class loadedClass = Class.forName("loadMe", true, loader);
 +
</pre>
 +
 
 
==Related problems ==
 
==Related problems ==
  

Revision as of 12:28, 16 April 2006



Overview

This process will download external source or binaries and execute it.

Consequences

Unspecified.

Exposure period

Implementation: This flaw is a simple logic issue, introduced entirely at implementation time.

Platform

Languages: Java and C++

Operating platform: Any

Required resources

Any

Severity

Medium

Likelihood of exploit

Medium

Avoidance and mitigation

  • Implementation: Avoid doing this without proper cryptographic safeguards.

Discussion

This is an unsafe practice and should not be performed unless one can use some type of cryptographic protection to assure that the mobile code has not been altered.

Examples

In Java:

URL[] classURLs= new URL[]{new URL("file:subdir/")};
URLClassLoader loader = nwe URLClassLoader(classURLs);
Class loadedClass = Class.forName("loadMe", true, loader);

Related problems

  • Cross-site scripting

Categories