Jboss Seam Interpolator: could it be use for execute command (java.lang.Runtime.exec)?
I had these odd message on my server before it crashed:
[ (org.jboss.seam.core.Interpolator)] exception interpolating string: #{(expressions.getClass().forName('java.lang.Runtime').getDeclaredMethods()[6]).invoke(expressions.getClass().forName('java.lang.Runtime')).exec('ls')}
javax.el.ELException: java.io.IOException: Cannot run program "ls": java.io.IOException: error=12, Cannot allocat开发者_如何转开发e memory
It seams to me that someone tried to execute something, through Interpolator class. I found these code, from an earlier version of seam:
http://www.java2s.com/Open-Source/Java-Document/JBoss/jboss-seam-2.1.0.A1/org/jboss/seam/core/Interpolator.java.htm
I found these post
How to solve "java.io.IOException: error=12, Cannot allocate memory" calling Runtime#exec()?
But in my case, I'm not trying to solve it, I want to restrict it.
Can I prevent systems execution through a Security Manager? Do you have any suggestion to prevent these kind of execution?
Thanks in advance.
Are you sure that it is YOUR code trying to run "ls" on your server? If not, it looks like someone is trying to exploit this problem of Seam 2. In this case you should upgrade to Seam 2.2.2.Final
精彩评论