[1900] in WWW Security List Archive
New Netscape Java security hole found: disclosure of path
daemon@ATHENA.MIT.EDU (Prentiss Riddle)
Wed Apr 24 11:57:46 1996
From: Prentiss Riddle <riddle@is.rice.edu>
To: www-security@ns2.rutgers.edu
Date: Wed, 24 Apr 1996 08:27:54 -0500 (CDT)
Errors-To: owner-www-security@ns2.rutgers.edu
The announcement below appeared in RISKS DIGEST 18.06. Forwarded FYI.
-- Prentiss Riddle ("aprendiz de todo, maestro de nada") riddle@rice.edu
-- RiceInfo Administrator, Rice University / http://is.rice.edu/~riddle
--------------------------------------------------------------------------
FORWARDED MESSAGE:
>
> Date: Mon, 22 Apr 96 17:37:54 +0200
> From: goldstei@iamexwi.unibe.ch (TERMINATOR)
> Subject: Java security/privacy bug
>
> We have found a privacy/security bug in the Java implementation of the
> Netscape Navigator. It is very easily possible for an applet to find out the
> pathname of the directory in which the Netscape Navigator was started. This
> information could then be sent back to a CGI program for logging. Clearly
> this information should not be available to an applet, as is indicated by
> the fact that applets are prevented from reading the "user.home" and
> "user.dir" system properties.
>
> When the Netscape Navigator is run under the Windows 95 OS, the pathname
> usually does not contain any critical information. However, when the
> Navigator is run under a multi-user network OS, such as UNIX, the pathname
> often contains the e-mail and/or login name of the user. In addition, the
> pathname might reveal details about the topology of the user's network,
> which an experienced hacker might be able to exploit.
>
> There are two ways to protect yourself from this problem: Either start up
> the Netscape Navigator in a directory whose pathname does not reveal any
> critical information, or disable Java altogether (Options | Security
> Preferences | General). A system administrator can protect his network by
> configuring the HTTP proxy server not to retrieve Java ".class" files.
>
> This bug is present in at least the following versions of the Navigator:
>
> 2.0
> 2.01
> 3.0b2
> 2.0GoldB1
> 2.01Gold
>
> and in the implementations for at least the following platforms:
>
> SunOS 4.1.2, 4.1.3, 4.1.4
> SunOS 5.3, 5.4, 5.5
> Windows 95, Windows NT
> IRIX 5.2, 5.3
> HP-UX A.0903, A.0905
> Linux 1.2.10, 1.2.13
> FreeBSD 2.1.0-RELEASE
> OSF1 V3.2
>
> We have not tested whether this bug also exists in Sun's HotJava browser.
>
> We will release full details of the bug as soon as Sun and Netscape have
> issued patches which fix the problem.
>
> Full details have been sent to Sun and Netscape. This announcements has also
> been posted to the "comp.lang.java" newsgroup and has been sent to CERT.
>
> Daniel Abplanalp and Stephan Goldstein (goldstei@iamexwi.unibe.ch)
> Berne, Switzerland
