[2049] in WWW Security List Archive
Re: Java Hole: Web Graffiti & Covert Channels
daemon@ATHENA.MIT.EDU (Donald T. Davis)
Fri May 10 14:16:39 1996
To: Jacob Rose <jacob@hummingbird.whiteshell.com>
Cc: www-security@ns2.rutgers.edu
In-reply-to: Your message of "Fri, 10 May 1996 08:07:49 EDT."
<Pine.ULT.3.91.960510075405.21748B-100000@hummingbird.whiteshell.com>
Date: Fri, 10 May 1996 12:08:39 -0400
From: "Donald T. Davis" <don@cam.ov.com>
Errors-To: owner-www-security@ns2.rutgers.edu
>> the idea [is] that a user hitting any site on the web after activating
>> the trojan horse applet, will see whatever it is the trojan horse wants
>> them to see by REDIRECTING the URL locations to the hacker server ...
jacob rose replied:
> Goodness, everyone. This is not a bug in Java! You can do this with a
> CGI script! ... So, really, this problem has nothing to do with Java,
> it's simply a consequence of hypertext.
the point of the complaint, is that java is supposed to be more
secure than CGI; that's one of java's main design goals, and one
which java has consistently failed to meet.
-don davis, boston
