From kevin.w.wall@gmail.com on October 07, 2013 13:18:13

The default ESAPI.properties file has an insecure default configuration for the Executor component. The configuration is also OS specific (specific to Windows standard OS install).

Here is the relevant contents for the two properties related to the Executor interface as defined in "configuration/esapi/ESAPI.properties":

ESAPI Executor

CHECKME - Not sure what this is used for, but surely it should be made OS independent.

Executor.WorkingDirectory=C:\Windows\Temp
Executor.ApprovedExecutables=C:\Windows\System32\cmd.exe,C:\Windows\System32\runas.exe

Looking at the code in org.owasp.esapi.reference.DefaultExecutor.executeSystemCommand(), it is clear that the property "Executor.ApprovedExecutables" is intended to be a white-list of a set of approved executables, separated by a comma.

As it is defined, by default, both "cmd.exe" and "runas.exe" are permitted, which is overly permissive at best.

The default for the "Executor.ApprovedExecutables" property should be the empty string so that a development team is forced to specify what is acceptable to their specific application.

Original issue: http://code.google.com/p/owasp-esapi-java/issues/detail?id=307