界: Environment
本節包括原始程式碼之外的所有內容,但對於建立中產品的安全性仍至關重要。由於此領域所涵蓋的問題與原始程式碼沒有直接關係,因此我們將其與其他領域分開。
WebSphere Misconfiguration: Servlets Served By Class Name
Abstract
系統將應用程式設定為可讓 WebSphere 依類別名稱提供 Servlet。
Explanation
若依類別名稱提供 Servlet,即使應用程式的部署描述符中未對應該 Servlet,仍可讓知道 Servlet 名稱的攻擊者直接叫用。
例如,請想想一個包含 Servlet (其名為
更糟的是,視伺服器的 Classloader 結構而定,攻擊者可能會從同一個 WebSphere 實例中託管的其他應用程式中叫用 Servlet。
例如,請想想一個包含 Servlet (其名為
com.ibm.websphere.samples.MyServlet) 的應用程式。當 ibm-web-ext.xmi 中的 serveServletsByClassnameEnabled (適用於 WAS V6 及更舊版本),或 ibm-web-ext.xml 中的 enable-serving-servlets-by-class-name (自 WAS V7 版起) 設定為 true 時,便可如下要求來呼叫 servlet:http://www.example.com/SomeContextPath/servlet/com.ibm.websphere.samples.MyServlet。更糟的是,視伺服器的 Classloader 結構而定,攻擊者可能會從同一個 WebSphere 實例中託管的其他應用程式中叫用 Servlet。
References
[1] Keys Botzum WebSphere Application Server V6 advanced security hardening -- Part 1
[2] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000213, CCI-000804, CCI-002165
[3] Standards Mapping - FIPS200 CM
[4] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[5] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-3 Access Enforcement (P1), IA-8 Identification and Authentication (Non-Organizational Users) (P1)
[6] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-3 Access Enforcement, IA-8 Identification and Authentication (Non-Organizational Users)
[7] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[8] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls
[9] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management
[10] Standards Mapping - OWASP Top 10 2007 A10 Failure to Restrict URL Access
[11] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration
[12] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[13] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration
[14] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.10, Requirement 7.2
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.10, Requirement 7.2
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8, Requirement 7.2
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8, Requirement 7.2
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8, Requirement 7.2
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8, Requirement 7.2
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8, Requirement 7.2
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4, Requirement 2.2.6
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4, Requirement 2.2.6
[24] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control
[25] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control
[26] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls
[27] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3480.2 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3480.2 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3480.2 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3480.2 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3480.2 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3480.2 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3480.2 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II
[50] Standards Mapping - Web Application Security Consortium Version 2.00 Server Misconfiguration (WASC-14)
desc.config.java.websphere_misconfiguration_servlets_served_by_class_name