...
| Code Block | ||
|---|---|---|
| ||
private Boolean validateValue(long time) {
// Perform validation
return true; // If the time is valid
}
private void storeDateInDB(java.util.Date date) throws SQLException {
final java.util.Date copy = (java.util.Date)date.clone();
if (validateValue(copy.getTime())) {
Connection con = DriverManager.getConnection("jdbc:microsoft:sqlserver://<HOST>:1433","<UID>","<PWD>");
PreparedStatement pstmt = con.prepareStatement("UPDATE ACCESSDB SET TIME = ?");
pstmt.setLong(1, copy.getTime());
// ...
}
}
|
The {[The storeDateInDB()}} method accepts an untrusted date argument and attempts to make a defensive copy using its clone() method. This allows an attacker to take control of the program by creating a malicious date class that extends Date. If the attacker's code runs with the same privileges as storeDateInDB(), the attacker merely embeds malicious code inside their clone() method:
...