[OWASP-WEBGOAT]WebGoat - in Windows or Linux?

Mark Curphey mark at curphey.com
Sat Nov 30 19:23:04 EST 2002 

We could prob set a security manager to allow read for os.arch,
os.version and os.name and then set exec according to the os installed.

I'll do this and commit it to CVS. 


On Sat, 2002-11-30 at 12:47, Bruce Mayhew wrote:
> Mads
> 
> You are not doing anything wrong :)
> 
> The unchecked email may eventually send the email but it does not do so now.
> Currently, we mimic what the user would see when opening the email message.
> The exec'ing of a command should be commented out until the platform
> independent sending of email is implemented.  I believe the results you see
> on the screen are the same whether or not the exec succeeds.
> 
> 
> The Parameter Injection page does not check the platform before issuing the
> command.   You can either modify the source to execute a unix command:
> 
> ParameterInjection.java - line 43
>     replace
>        ec.addElement(exec("cmd.exe /c dir /b " + dir));
>     with
>        ec.addElement(exec("ls -l " + dir));
> 
> or put a platform check in the code to execute the appropriate command.  The
> platform stuff should be fixed in the next release.
> 
> We noticed the Tomcat version problem a little too late....  Sounds like you
> figured it out though.
> 
> bruce.
> 
> ----- Original Message -----
> From: "Mads Rasmussen" <mads at opencs.com.br>
> To: <owasp-webgoat at lists.sourceforge.net>
> Sent: Wednesday, November 27, 2002 2:18 PM
> Subject: [OWASP-WEBGOAT]WebGoat - in Windows or Linux?
> 
> 
> 
> It seems that WebGoat only works with Tomcat 4.1.12 (maybe newer
> versions as well).
> 
> I had problems with 4.0.6 but all went smoothly when I moved to 4.1.12
> 
> I encountered some oddities though
> 
> Here is a resume:
> 
> 1) the 'Unchecked mail' page seems designed to run on a linux/unix
> platform (you spawn sendmail). I haven't looked at the code but it calls
> up cmd that is a windows shell. So that didn't work for me in windows.
> 
> And in windows you don't have the sendmail program :)
> 
> In linux:
> 
> ExecResults for 'cmd.exe /c sendmail mads at opencs.com.br'
> 
> Returncode: 0
> Exception: java.io.IOException: cmd.exe: not found
> 
> In windows:
> 
> ExecResults for 'cmd.exe /c sendmail mads at opencs.com.br'
> 
> Returncode: 1
> Bad return code (expected 0)
> 
> 
> 2) The parameter injection page that throws a dir listing does not work
> in linux because it try to spawn the 'cmd' shell once again.
> 
> Maybe (most likely) I have misunderstood something
> 
> Do you have an idea of what I am doing wrong?
> 
> What would be the recommended machine architecture for running this?
> 
> Regards,
> 
> Mads Rasmussen
> Open Communications Security
> +55(11)3345-2525
> 
> 
> 
> -------------------------------------------------------
> This SF.net email is sponsored by: Get the new Palm Tungsten T
> handheld. Power & Color in a compact size!
> http://ads.sourceforge.net/cgi-bin/redirect.pl?palm0002en
> _______________________________________________
> OWASP-WEBGOAT mailing list
> OWASP-WEBGOAT at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/owasp-webgoat
> 
> 
> 
> -------------------------------------------------------
> This SF.net email is sponsored by: Get the new Palm Tungsten T 
> handheld. Power & Color in a compact size! 
> http://ads.sourceforge.net/cgi-bin/redirect.pl?palm0002en
> _______________________________________________
> OWASP-WEBGOAT mailing list
> OWASP-WEBGOAT at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/owasp-webgoat
-- 
Mark Curphey <mark at curphey.com>

More information about the Owasp-webgoat mailing list