Difference between revisions of "Invoking untrusted mobile code"

From OWASP
Jump to: navigation, search
Line 55: Line 55:
  
 
[[Category:Vulnerability]]
 
[[Category:Vulnerability]]
 
+
[[Category:Range and Type Error Vulnerability]]
[[Category:Range and Type Errors]]
+
 
+
 
[[Category:OWASP_CLASP_Project]]
 
[[Category:OWASP_CLASP_Project]]
 +
[[Category:Code Snippet]]
 +
[[Category:Java]]

Revision as of 16:00, 4 August 2006


Overview

This process will download external source or binaries and execute it.

Consequences

Unspecified.

Exposure period

Implementation: This flaw is a simple logic issue, introduced entirely at implementation time.

Platform

Languages: Java and C++

Operating platform: Any

Required resources

Any

Severity

Medium

Likelihood of exploit

Medium

Avoidance and mitigation

  • Implementation: Avoid doing this without proper cryptographic safeguards.

Discussion

This is an unsafe practice and should not be performed unless one can use some type of cryptographic protection to assure that the mobile code has not been altered.

Examples

In Java:

URL[] classURLs= new URL[]{new URL("file:subdir/")};
URLClassLoader loader = nwe URLClassLoader(classURLs);
Class loadedClass = Class.forName("loadMe", true, loader);

Related problems