Thursday, July 28, 2011

Re: Exploit for GWT-RPC

I believe that's a problem with the web application. The attacker is calling the unprotected method HomepageService.getLocalHost() that returns a TrustHostModel with a hostname, password, port, user, userid,...
I'm not a security expert, but I would never request a password from server.

--
You received this message because you are subscribed to the Google Groups "Google Web Toolkit" group.
To view this discussion on the web visit https://groups.google.com/d/msg/google-web-toolkit/-/6XoShhJSs8kJ.
To post to this group, send email to google-web-toolkit@googlegroups.com.
To unsubscribe from this group, send email to google-web-toolkit+unsubscribe@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/google-web-toolkit?hl=en.
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)