[9322] in bugtraq
Re: Unsecured server in applets under Netscape
daemon@ATHENA.MIT.EDU (BVE)
Wed Feb 3 11:51:09 1999
Date: Wed, 3 Feb 1999 07:45:13 -0000
Reply-To: BVE <bve@QUADRIX.COM>
From: BVE <bve@QUADRIX.COM>
X-To: grail@CAFEBABE.ORG
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <14007.27670.587482.882130@wuss> (message from Giao Nguyen on
Tue, 2 Feb 1999 13:42:32 -0800)
Date: Tue, 2 Feb 1999 13:42:32 -0800
From: Giao Nguyen <grail@CAFEBABE.ORG>
Just for kicks, I wrote a sample applet that listened on a socket. I
discovered that when the applet was loaded under Netscape (as tested
with version 4.5), any hosts could then connect to the machine running
this applet. I won't bore anyone with the code because it's so trivial
that a novice to Java should be able to write it with ease after
reading some documentation.
According to Java in a Nutshell, 2nd edition, p. 139:
* Untrusted code cannot perform networking operations, exception
certain restricted ways. Untrusted code cannot:
[...]
- Accept network connections on ports less than or equal to 1024 or
from any host other than the one from which the code itself was
loaded.
While the port number restriction is held by the VM, the point of
origin restriction is not held at all.
The error in your analysis is most likely that you were running Java code from
a class file installed on your local machine, as opposed to one which is
downloaded from a web site somewhere. The former is considered "trusted,"
while the latter is "untrusted."
Any class file you've compiled on your local machine will be considered
"trusted," and will be allowed to do pretty much anything it wants. Similarly,
any class file you've copied to your hard drive, as opposed to downloading from
within a web browser, will be considered "trusted."
--
-- Bill Van Emburg
Quadrix Solutions, Inc.
Phone: 732-235-2335, x206 (bve@quadrix.com)
Fax: 732-235-2336 (http://quadrix.com)
"You do what you want, and if you didn't, you don't"
