From firstname.lastname@example.org on October 07, 2013 13:18:13
The default ESAPI.properties file has an insecure default configuration for the Executor component. The configuration is also OS specific (specific to Windows standard OS install).
Here is the relevant contents for the two properties related to the Executor interface as defined in "configuration/esapi/ESAPI.properties":
Looking at the code in org.owasp.esapi.reference.DefaultExecutor.executeSystemCommand(), it is clear that the property "Executor.ApprovedExecutables" is intended to be a white-list of a set of approved executables, separated by a comma.
As it is defined, by default, both "cmd.exe" and "runas.exe" are permitted, which is overly permissive at best.
The default for the "Executor.ApprovedExecutables" property should be the empty string so that a development team is forced to specify what is acceptable to their specific application.
Original issue: http://code.google.com/p/owasp-esapi-java/issues/detail?id=307