[2076] in WWW Security List Archive
Security bug in appletviewer : full read/write access to client's disks
daemon@ATHENA.MIT.EDU (Claude Scarpelli)
Mon May 13 14:07:45 1996
Date: Mon, 13 May 1996 17:27:38 +0200 (MET DST)
From: Claude Scarpelli <claude@infobiogen.fr>
To: www-security@ns2.rutgers.edu
Errors-To: owner-www-security@ns2.rutgers.edu
I discovered a bug in the implementation of the SecurityManager class
in the appletviewer, in the JDK release 1.02.
This bug permits an applet to read or write your entire file systems
(restricted to your UNIX permissions), providing you have configured
your browser to allow limited read or write access (using the file
~/.hotjava/properties, see http://www.javasoft.com/sfaq)
Netscape is not vulnerable to this attack, since there is no way to
allow read or write access to applets in Netscape.
To allow an applet to read (resp. write) files on your disk, you must
enter the following lines in your ~/.hotjava/properties file :
acl.read=/tmp (which means that applet can read any files in /tmp, in
regards to your UNIX identity)
acl.write=/tmp (which means that applet can write any files in /tmp in
regards to your UNIX identity)
The appletviewer does not check for .. occuring in the pathname. So,
trying to access /etc/passwd fails with a SecurityExceptions, thus trying
/tmp/../etc/passwd works !
Sun has been notified on April 29 1996, and acknowledged on April
30. Unfortunately, this has not been fixed in JDK 1.02.
Please see http://www.infobiogen.fr/people/claude/java/secbug.html for
an example.
--
------------------------------------------------------------------------------
Claude Scarpelli | Defenestrate: to exit a window
INFOBIOGEN ::= INFOrmatique appliquée à | onscreen. (Time International
l'étude des BIOmolécules et des GÉNomes | Vol 146, No. 20, Nov 13, 1995)
