JChains minimal install distribution
====================================

NOTE: This archive includes code that serves as Proof-Of-Concept
for my upcoming thesis. The following vulnerabilities were refactored 
using this tool:

CVE-2007-4575
CVE-2003-1573

AUTHOR:  Marc Schoenefeld, marc.schoenefeld AT gmx DOT org

LICENSE: Free for use in free software, but credit the author
         Don't use in commercial software without prior admission
         from the author.


1. A sample configuration can be found in the sampleconf directory, 
   the script tomcat_jchains.sh shows an application startup script can be 
   customized to be used with jchains. This configuration should be 
   useable on Fedora 10, having the tomcat6 and java-1.6.0-openjdk packages
   installed.


2. Run the command 

        java -Dorg.jchains.file=tomcat.csv -jar ../jchains.jar -file

   or simple use the startGUIForTomcat.sh script
   
   http://127.0.0.1:8080/bshservlet-wbsh/eval gives you the beanshell servlet:
   
   Try some stuff with Beanshell and see the results in the GUI
   
   1) java.io.FileInputStream f= new java.io.FileInputStream("/etc/passwd"); 
      byte[] b = new byte[f.available()];
      int r = f.read(b);
      System.out.println(new String(b));
      return r 
      
   You will find a suspicious FilePermission with /etc/passwd in the permission log