Insecure default configuration for Executor.ApprovedExecutables in ESAPI.properties file

Description

From kevin.w.wall@gmail.com on October 07, 2013 13:18:13

The default ESAPI.properties file has an insecure default configuration for the Executor component. The configuration is also OS specific (specific to Windows standard OS install).

Here is the relevant contents for the two properties related to the Executor interface as defined in "configuration/esapi/ESAPI.properties":

ESAPI Executor

CHECKME - Not sure what this is used for, but surely it should be made OS independent.

Executor.WorkingDirectory=C:\\Windows
Temp
Executor.ApprovedExecutables=C:\\Windows\\System32\\cmd.exe,C:\\Windows\\System32
runas.exe

Looking at the code in org.owasp.esapi.reference.DefaultExecutor.executeSystemCommand(), it is clear that the property "Executor.ApprovedExecutables" is intended to be a white-list of a set of approved executables, separated by a comma.

As it is defined, by default, both "cmd.exe" and "runas.exe" are permitted, which is overly permissive at best.

The default for the "Executor.ApprovedExecutables" property should be the empty string so that a development team is forced to specify what is acceptable to their specific application.

Original issue: http://code.google.com/p/owasp-esapi-java/issues/detail?id=307

Environment

None

Status

Assignee

Unassigned

Reporter

Max Gelman

Priority

Configure