[16126] in bugtraq
Re: Dangerous Java/Netscape Security Hole
daemon@ATHENA.MIT.EDU (Michael H. Warfield)
Tue Aug 8 03:12:00 2000
Mail-Followup-To: tkuiper@TOBIT.COM, BUGTRAQ@SECURITYFOCUS.COM
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Message-Id: <20000807145647.B5516@alcove.wittsend.com>
Date: Mon, 7 Aug 2000 14:56:47 -0400
Reply-To: "Michael H. Warfield" <mhw@WITTSEND.COM>
From: "Michael H. Warfield" <mhw@WITTSEND.COM>
X-To: tkuiper@TOBIT.COM
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <001DEF19.398E67ED@mail.tobit.com>; from tkuiper@TOBIT.COM on
Mon, Aug 07, 2000 at 07:40:30AM +0000
On Mon, Aug 07, 2000 at 07:40:30AM +0000, tkuiper@TOBIT.COM wrote:
> which versions are affected, even Netscape 6 PRE?
Netscape 6 pre1 has expired and Netscape 6 pre2 isn't officially
released yet. Mozilla, from mozilla.org, appear to NOT be (at least not
the latest from CVS, I don't know about M16 which is what Netscape 6 pre1
was based on). That may not be good news, though. Mozilla gets an error
trying to download the class file saying "downloader plugin not found".
Not sure what will happen when that gets fixed. It may end up being
vulnerable after all.
> Best Regards,
> Thomas
> -------- Original Message --------
> Subject: Dangerous Java/Netscape Security Hole (07-Aug-2000 9:35)
> From: dan=security@BRUMLEVE.COM
> To: tkuiper@TOBIT.COM
>
> Dear BugTraq,
>
> I've found some security holes in Java and Netscape
> that allow arbitrary network access and read-access
> for local files and directories. As a demonstration
> I've written Brown Orifice HTTPD, a web server and file
> sharing tool that runs in Netscape Communicator on all
> tested platforms. For more information, see:
>
> http://www.brumleve.com/BrownOrifice
>
>
> Thomas Kuiper | tkuiper@tobit.com | www.tobit.com __
> Core Development | ICQ #8345483 | /__/\
> Tobit Software | PGP Key on Request | ask your server. \__\/
>
>
>
> To: dan=security@BRUMLEVE.COM
> BUGTRAQ@SECURITYFOCUS.COM
--
Michael H. Warfield | (770) 985-6132 | mhw@WittsEnd.com
(The Mad Wizard) | (770) 331-2437 | http://www.wittsend.com/mhw/
NIC whois: MHW9 | An optimist believes we live in the best of all
PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it!
