Results 1 to 7 of 7
  1. #1
    ekta is offline Member
    Join Date
    Jan 2014
    Posts
    3
    Rep Power
    0

    Default Security in java

    hyee frnds,


    I want to make my code secure. when i m using hp fortify for my code its showing path manipulation error on line.
    Can you plz help me in resolving it.
    I m new with this..
    thanx..
    Last edited by ekta; 01-27-2014 at 12:20 PM.

  2. #2
    kjkrum's Avatar
    kjkrum is offline Senior Member
    Join Date
    Apr 2011
    Location
    Tucson, AZ
    Posts
    1,060
    Rep Power
    6

    Default Re: Security in java

    "Secure" could mean a dozen different things. Post some code and ask specific questions about the problems you're having.
    Get in the habit of using standard Java naming conventions!

  3. #3
    ekta is offline Member
    Join Date
    Jan 2014
    Posts
    3
    Rep Power
    0

    Default Re: Security in java

    security bug is path manipulation on line 75.


    Java Code:
    [highlight=Java]
    import java.io.*;
    import java.net.*;
    
    public class FtpServer
    {
         public static void main(String [] args)
         {
              int i=1;
    
    System.out.println("**************************");
              System.out.println("*****   FTP SERVER *******");
    
    System.out.println("*********************************************");
              System.out.println("Server Started...");
              System.out.println("Waiting for connections...");
              System.out.println(" ");
              try
              {
    
                   ServerSocket s = new ServerSocket(100);
                   for(;;)
                   {
                        Socket incoming = s.accept();
                        System.out.println("New Client Connected with id " + i +" from "+incoming.getInetAddress().getHostName()+"..." );
                        Thread t = new ThreadedServer(incoming,i);
                        i++;
                        t.start();
                   }
                  
              }
              catch(IOException e)
              {
            	  e.printStackTrace (System.err);
          
              }
         }
         
    }
    
    class ThreadedServer extends Thread
    {
         int n;
         String c,fn,fc;
         String filenm;
         Socket incoming;
         int counter;
         String dirn="c:/FTP SERVER DIRECTORY";
         public ThreadedServer(Socket i,int c)
         {
              incoming=i;
              counter=c;
         }
    
         public void run()
         {
              try
              {
    
                   BufferedReader in =new BufferedReader(new InputStreamReader(incoming.getInputStream()));
                   PrintWriter out = new PrintWriter(incoming.getOutputStream(), true);
                   OutputStream output=incoming.getOutputStream();
                   fn=in.readLine();
                   c=fn.substring(0,1);
    
                   if(c.equals("#"))
                   {
                   n=fn.lastIndexOf("#");
                   filenm=fn.substring(1,n);
                   FileInputStream fis=null;
                   boolean filexists=true;
                   System.out.println("Request to download file"+filenm+" recieved from "+incoming.getInetAddress().getHostName()+"...");
                   try
                     {
                      fis=new FileInputStream(filenm); //here is security bug.
                     }
                   catch(FileNotFoundException exc)
                     {
                      filexists=false;
                      exc.printStackTrace(System.err);
                     }
                    if(filexists)
                    {
                     sendBytes(fis, output) ;
    		 fis.close();
                    }
                   }
    
    [/highlight]
    Last edited by ekta; 01-27-2014 at 05:29 PM.

  4. #4
    Norm's Avatar
    Norm is online now Moderator
    Join Date
    Jun 2008
    Location
    Eastern Florida
    Posts
    17,792
    Rep Power
    25

    Default Re: Security in java

    What is a "path manipulation" security bug?
    If you don't understand my response, don't ignore it, ask a question.

  5. #5
    kjkrum's Avatar
    kjkrum is offline Senior Member
    Join Date
    Apr 2011
    Location
    Tucson, AZ
    Posts
    1,060
    Rep Power
    6

    Default Re: Security in java

    It would help if you posted the error message. But here's a guess. Is this part of an applet? Is the error a SecurityException? If so, read this: What Applets Can and Cannot Do (The Java™ Tutorials > Deployment > Java Applets)
    Get in the habit of using standard Java naming conventions!

  6. #6
    ekta is offline Member
    Join Date
    Jan 2014
    Posts
    3
    Rep Power
    0

    Default Re: Security in java

    I m not having any error. I just want to make my code secure.
    code is working but there is a security bug in the code. i.e.. path manipulation sacurity bug
    i.e..An attacker can specify a path used in an operation on the filesystem. what can i do to solve this. on google i found whitelisting thing as solution but dont know how to do that.

  7. #7
    gimbal2 is offline Just a guy
    Join Date
    Jun 2013
    Location
    Netherlands
    Posts
    4,260
    Rep Power
    6

    Default Re: Security in java

    Security comes from being an expert in your field and on the subject of (IT) security as a whole, you can't just be told what is secure and what is not. 9/10 times security holes are not directly in the application code but rather in the usage and maintenance for example.

    "on google i found whitelisting thing as solution but dont know how to do that. "

    And that proves my point. You don't know how to do it - well go find out.
    "Syntactic sugar causes cancer of the semicolon." -- Alan Perlis

Similar Threads

  1. Java security framework
    By kjkrum in forum Advanced Java
    Replies: 0
    Last Post: 05-31-2012, 09:49 PM
  2. Replies: 0
    Last Post: 04-11-2012, 06:06 PM
  3. Java Security Quesion
    By venk123 in forum New To Java
    Replies: 3
    Last Post: 03-04-2011, 08:03 AM
  4. Security & Java
    By ajeeb in forum Enterprise JavaBeans (EJB)
    Replies: 1
    Last Post: 12-07-2010, 05:07 PM
  5. Java security
    By Zosden in forum Java Applets
    Replies: 43
    Last Post: 08-02-2008, 03:10 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •