Re: [Wrapper-user] Security considerations with wrapper

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Vidod,
    The Wrapper is actually very careful about its socket.  The port is 
opened by the
Wrapper process immediately before launching a JVM.   The port that is 
used is
dynamic.  The socket is bound to the localhost loopback interface, so 
external
machines are not able to even see the port.  Once opened, the Wrapper only
accepts a single connect from the JVM.  The JVM must provide a key value
or the Wrapper will reject it.   Then once the JVM is connected, the Wrapper
stops listening for other connects.

    So in order to hack it, a piece of software would have to have 
access to the
loopback device, key passed to the JVM when it is launched, and then have to
make the connect at just the correct instant between the JVM process being
launched at it being able to connect to the Wrapper.  If malicious code 
is that
far into a system then it could in theory do quite a bit more than 
hacking into
the Wrapper's socket.

    Hope this builds confidence.

    Cheers,
    Leif

Vinod Panicker wrote:

>Hi,
>
>Would there be any security considerations to keep in mind when using
>wrapper?  I read that it listens on a port for requests?  Do we need
>to firewall that port or something else just to ensure that it cannot
>be exploited?
>
>Regards,
>Vinod.
>  
>