Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SECURITY: Arbitrary binary deserialization leading to a variety of security impacts in restlet #778

Closed
thboileau opened this issue Aug 22, 2013 · 1 comment

Comments

@thboileau
Copy link
Contributor

Reported by David Jorm:
A remote attacker could use this flaw to trigger the execution of the deserialization methods in any serializable class deployed on the server. This could lead to a variety of security impacts depending on the deserialization logic of these classes.

This might sound innocuous at first, but it is surprisingly common for classes to implement their own deserialization methods which are not secure when an attacker can call them with an arbitrary crafted instance of the object. This article provides a good explanation of the issue, and a solution to it:

http://www.ibm.com/developerworks/library/se-lookahead/

@ghost ghost assigned thboileau Aug 22, 2013
thboileau pushed a commit that referenced this issue Aug 22, 2013
thboileau pushed a commit that referenced this issue Aug 22, 2013
thboileau pushed a commit that referenced this issue Aug 22, 2013
thboileau pushed a commit that referenced this issue Sep 6, 2013
…serialization, binary-deserialization on ObjectRepresentation class. Reported by David Jorm.
thboileau pushed a commit that referenced this issue Sep 6, 2013
…serialization, binary-deserialization on ObjectRepresentation class. Reported by David Jorm.
@jlouvel
Copy link
Member

jlouvel commented Sep 19, 2013

Thierry, can we close this issue?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

2 participants