Re: JavaScript to grab email (fwd)

• To: "Robert S. Muhlestein" <robertm@teleport.com>
• Subject: Re: JavaScript to grab email (fwd)
• From: woycke@mitre.org (Daniel W. Woycke)
• Date: Fri, 23 Feb 1996 08:40:54 -0500
• Cc: George Spafford <gspaff@execpc.com>, "Daniel L. Smith" <dls@JavaJoint.com>, www-security@ns2.rutgers.edu

At 12:37 PM 2/22/96, Robert S. Muhlestein wrote:
>On Thu, 22 Feb 1996, George Spafford wrote:
>
>> >From: Jyri Kaljundi <jk@digit.ee>
>> >To: cypherpunks@toad.com
>> >Subject: JavaScript to grab email
>> >Date: Tue, 20 Feb 1996 16:33:21 +0200 (EET)
>> >
>> >Another annoying feature in JavaScript and Netscape. Have a look at
>> ><http://www.popco.com/grabtest.htm>
>>
>>
>> Well, if you want to take an Orwellian perspective, a person could write a
>> script in Java to access all kinds of information on the local drive(s),
>> even take it a step further and gather information from all attached drives
>> the host has rights to.
>
>Have you done this?  Has anyone else?  "Hooked on Java" and all the other
>info I get from Sun and others suggests local drive read and write access
>is only available to "trusted" applets (presumably a future Netscape pref
>setting).  Do you have any proof to support your claim (besides the recent
>posting about connecting to any host, which, I agree, is very scary).
>
>Robert Muhlestein
>Teleport Creative Services
>CGI Guy
>cgi@teleport.com

Well,

Originally people though you couldn't break out of sendmail, or use telnet
to gain root access (unless you had the password), or use syslog to break
into a system, or a host of other implementation bugs that crop up in any
large piece of software.  A Java interpreter is a large piece of software.
Anyways, this is JavaScript and not Java (they are two separate things
despite the name similarity).  I don't know much about the security applied
toward JavaScript.  I hope it gets better with time.

With Java and JavaScript (and all of the others of their ilk coming down
the line) the user will be able to access software without knowing it.
Nice from a usability standpoint, a nightmare to protect against.


-----
Thank You,

Daniel W. Woycke, Senior INFOSEC Engineer       (703) 883-1362
Network Security Engineering
NIDR & Firewall Applications
The MITRE Corporation
"The mixed up things are, the better the solution." -- Ms. Frizzle

• Previous: Wrong guy
• Next: Re: JavaScript to grab email (fwd)
• Index(es):
  • Index
  • Thread