Invoking untrusted mobile code

From OWASP
Revision as of 07:27, 18 September 2008 by KirstenS (Talk | contribs)

Jump to: navigation, search


Overview

This process will download external source or binaries and execute it.

Consequences

Unspecified.

Exposure period

Implementation: This flaw is a simple logic issue, introduced entirely at implementation time.

Platform

Languages: Java and C++

Operating platform: Any

Required resources

Any

Severity

Medium

Likelihood of exploit

Medium

Avoidance and mitigation

  • Implementation: Avoid doing this without proper cryptographic safeguards.

Discussion

This is an unsafe practice and should not be performed unless one can use some type of cryptographic protection to assure that the mobile code has not been altered.

Examples

In Java:

URL[] classURLs= new URL[]{new URL("file:subdir/")};
URLClassLoader loader = nwe URLClassLoader(classURLs);
Class loadedClass = Class.forName("loadMe", true, loader);

Related problems