[2082] in WWW Security List Archive
Re: Security bug in appletviewer : full read/write access to client's disks
daemon@ATHENA.MIT.EDU (Marianne Mueller)
Mon May 13 23:51:24 1996
Date: Mon, 13 May 1996 17:43:24 -0700
From: mrm@doppio.Eng.Sun.COM (Marianne Mueller)
To: claude@infobiogen.fr
Cc: www-security@ns2.rutgers.edu, mrm@doppio.Eng.Sun.COM
In-Reply-To: <199605131527.RAA12985@lovelace.infobiogen.fr> (message from Claude Scarpelli on Mon, 13 May 1996 17:27:38 +0200 (MET DST))
Errors-To: owner-www-security@ns2.rutgers.edu
We have a fix in house. Given the release cycle that we were in during
the last week of April and first week of May (testing JDK 1.0.2), we
weren't able to get this fix into JDK 1.0.2.
We're actively working on how to get a patch process in place, so that
we can distribute security bug fixes without having to do a whole
release of the JDK.
As Claude mentioned,
a) The acl.read and acl.write (access control lists for reading
and writing files) are null by default.
You need to set the acl.read property deliberately
in your ~/.hotjava/properties file, to allow HotJava or
appletviewer to read a file.
b) Netscape Navigator doesn't read the ~/.hotjava/properties
file so people using NN won't be affected by this.
Marianne
JavaSoft engineering
