demba90 / owasp-esapi-java

Automatically exported from code.google.com/p/owasp-esapi-java
Other
0 stars 0 forks source link

Insecure default configuration for Executor.ApprovedExecutables in ESAPI.properties file #307

Closed GoogleCodeExporter closed 8 years ago

GoogleCodeExporter commented 8 years ago
The default ESAPI.properties file has an insecure default configuration for the 
Executor component. The configuration is also OS specific (specific to Windows 
standard OS install).

Here is the relevant contents for the two properties related to the Executor 
interface as defined in "configuration/esapi/ESAPI.properties":

# ESAPI Executor
# CHECKME - Not sure what this is used for, but surely it should be made OS 
independent.
Executor.WorkingDirectory=C:\\Windows\\Temp
Executor.ApprovedExecutables=C:\\Windows\\System32\\cmd.exe,C:\\Windows\\System3
2\\runas.exe

Looking at the code in 
org.owasp.esapi.reference.DefaultExecutor.executeSystemCommand(), it is clear 
that the property "Executor.ApprovedExecutables" is intended to be a white-list 
of a set of approved executables, separated by a comma.

As it is defined, by default, both "cmd.exe" and "runas.exe" are permitted, 
which is overly permissive at best.

The default for the "Executor.ApprovedExecutables" property should be the empty 
string so that a development team is forced to specify what is acceptable to 
their specific application.

Original issue reported on code.google.com by kevin.w.wall@gmail.com on 7 Oct 2013 at 5:18

GoogleCodeExporter commented 8 years ago
Set the 2 Executor properties to the empty string.

Original comment by kevin.w.wall@gmail.com on 21 Nov 2013 at 5:24