I have read through that fastly blog twice.
TO ME (NOTtheJavaProgrammer) it would seem that some pretty bad
assumptions must have been made by those writing code such as this. Bad
is in 'just do what you are asked, don't question.'
Now it would SEEM like the code should have some logic like this:
Check 'requested action' against 'Valid Actions' and execute only if
true. If false then 'don't do that.'
In my 'non-java' mindset it seems that coding to 'allow anything' is
just a train wreck looking for a time and a place.
It reminds me of the battle between TinyDNS (a.k.a. DJBDNS) and BIND.
BIND has been hacked a million times and appears with some frequency in
CVEs. DJBDNS however was written to not be hackable and the author
posted an award for someone who hacked it. It took many years before the
award was claimed and even then on a technicality not truly an exploit.
The Author specifically used this application to show how to code for
both performance AND security, with security being the most important.
It would seem to me that security needs to be 'higher up' on the
thinking of those writing code these days.
On 12/14/2021 1:50 PM, Jack Woehr via MIDRANGE-L wrote:
On Tue, Dec 14, 2021 at 11:40 AM Brad Stone <bvstone@xxxxxxxxx> wrote:
Anyone care to share a real world example of how this would hurt someone on
the IBM i? From what I understand it requires a lot of variables... one
being that the attacker needs to be able to inject commands into the
As an Amazon Associate we earn from qualifying purchases.
This mailing list archive is Copyright 1997-2022 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.