Re: security concern: server classes can be downloaded from enhydra web site

Is anyone working on a patch for this? If not any pointers on where I should
start. I don't know the Enhydra source that well, but I can try.

Later,

Mark

> On Friday, March 7, 2003, at 02:19  PM, Daniel Germain wrote:
>> Hi,
>> 
>> I'm currently performing some tests with an applet
>> referenced in an enhydra page.po and I found
>> accidently that all the classes from my backend
>> enhydra application can be downloaded over the internet
>> if you know what to look for.
>> 
>> As an example, if you take the enhydra demo at the following
>> url:
>> 
>> http://enhydra.enhydra.org/server/demos/welcome/Welcome.po
>> 
>> and that you are able to guess the presentation prefix
>> Server.PresentationPrefix = "com/lutris/appserver/welcome/presentation"
>> 
>> you can download the Welcome.class from the following url
>> 
>> http://enhydra.enhydra.org/server/demos/welcome/com/lutris/appserver/
>> welcome/presentation/Welcome.class
>> 
>> This is not limited to presentation classes. Business classes and data
>> classes can be downloaded as well, so you do not really need to know
>> the presentation prefix if you can guess the package name.
>> E.g. with chat.business.Message
>> http://enhydra.enhydra.org/server/demos/chat/chat/business/
>> Message.class
>> 
>> Using a decompiler I was able to recover an equivalent source for
>> Message.java.
>> 
>>> From what I'm understanding these files can be downloaded as easily
>> as any gifs that are put in the application jar (e.g. welcome.jar).
>> So the workaround would be to put these files outside the jar
>> but within the system classpath, or script classpath? Any other
>> options or patches?