Invoking untrusted mobile code

Last revision (mm/dd/yy): //

Vulnerabilities Table of Contents

Description
This process will download external source or binaries and execute it.

Consequences

Unspecified.

Exposure period

Implementation: This flaw is a simple logic issue, introduced entirely at implementation time.

Platform

Languages: Java and C++

Operating platform: Any

Required resources

Any

Severity

Medium

Likelihood of exploit

Medium

This is an unsafe practice and should not be performed unless one can use some type of cryptographic protection to assure that the mobile code has not been altered.

Risk Factors

 * Talk about the factors that make this vulnerability likely or unlikely to actually happen
 * Discuss the technical impact of a successful exploit of this vulnerability
 * Consider the likely [business impacts] of a successful attack

Examples
In Java:

URL[] classURLs= new URL[]{new URL("file:subdir/")}; URLClassLoader loader = nwe URLClassLoader(classURLs); Class loadedClass = Class.forName("loadMe", true, loader);

Related Attacks

 * Attack 1
 * Attack 2

Related Vulnerabilities

 * Cross-site Scripting (XSS)

Related Controls

 * Implementation: Avoid doing this without proper cryptographic safeguards.

Related Technical Impacts

 * Technical Impact 1
 * Technical Impact 2