Security vendor Imperva has identified an access-control vulnerability in DWR, Java Open Source AJAX development framework (stable release 1.1.3 and 2.0), which it says an attacker can use to compromise a DWR based application which may in turn enable him to say break into back-end databases or servers or launch a denial-of-service-attack.安全廠商imperva已確定一個訪問控制的脆弱性在dwr , Java的開放源代碼Ajax的發展框架(穩定版本1.1.3和2.0 ) ,它說,攻擊者可以利用妥協1 dwr基於應用可能,從而使他能夠說打入後端資料庫,伺服器或發動拒絕服務攻擊。

On a positive note Imperva commented that DWR, AJAX Web application development framework, is一個積極的注意imperva評論說, dwr , Ajax的Web應用開發框架,是
"emerging as the lingua franca for building new generation Web 2.0 applications" “作為新興的通用語言,為建設新一代的Web 2.0應用” : )

Forceful Method Invocation Attacks 有力的方法調用攻擊
The key issue is how DWR restricts access to not exposed class methods.問題的關鍵是如何dwr限制進入不暴露類方法。 DWR 1.1.3 provides a configuration option that forbids the invocation of class methods. dwr 1.1.3提供了一個配置選項禁止引用類方法。 This exclusion can be applied to some or all of a class’s methods, and it is configured in the dwr.xml file.這種排斥,可用於部分或全部一類的方法,將它配置在dwr.xml文件。 DWR 2.0 adds an additional configuration option that includes JAVA code annotations. dwr 2.0增加了額外的配置選項,包括Java代碼說明。 However, both methods enforce their restrictions only on the client side.不過,這兩種方法執行其限制,只有在用戶端。 Therefore, by manipulating HTTP requests through a proxy, excluded methods can be invoked.因此,操縱HTTP請求,通過代理,排除方法可引用。 This also applies to public methods that are inherited from super classes.這也適用於公共的方法,是繼承了從超級班。

As a consequence of the above vulnerability restricted operations may be unintentionally exposed to web users.作為一個後果,上述的脆弱性限制行動,可能會有意無意地暴露了網絡用戶。

Solution 解決方案
The solution is simple for application developers.解決的辦法是簡單的應用開發。 Simply mark the methods that you don't want to expose as private or protected.馬克簡單的方法,您不想揭露,作為私人或保護。 Anyone not doing so already should be expelled from Java world for lacking the minimum concepts of object oritented development任何人都沒有這樣做,已經應該被驅逐出Java的世界缺乏起碼的概念,對象oritented發展 : )

You can also use a Proxy to expose certain methods only.您也可以使用代理揭露某些方法只。

On DWR's side the solution would be to enforce the same restrictions on server side too, isn't it elementary Dr. Watson?對dwr的一方的解決辦法將執行同樣的限制對服務器端太,是不是小學的Dr 。 Watson ?