[Previous] [Next] [Index]
[Thread]
Security bug in appletviewer : full read/write access to client's disks
-
To: www-security@ns2.rutgers.edu
-
Subject: Security bug in appletviewer : full read/write access to client's disks
-
From: Claude Scarpelli <claude@infobiogen.fr>
-
Date: Mon, 13 May 1996 17:27:38 +0200 (MET DST)
-
Newsgroups: comp.lang.java
-
Organization: GIS INFOBIOGEN, 7 rue Guy Moquet BP8, 94801 VILLEJUIF, France
I discovered a bug in the implementation of the SecurityManager class
in the appletviewer, in the JDK release 1.02.
This bug permits an applet to read or write your entire file systems
(restricted to your UNIX permissions), providing you have configured
your browser to allow limited read or write access (using the file
~/.hotjava/properties, see http://www.javasoft.com/sfaq)
Netscape is not vulnerable to this attack, since there is no way to
allow read or write access to applets in Netscape.
To allow an applet to read (resp. write) files on your disk, you must
enter the following lines in your ~/.hotjava/properties file :
acl.read=/tmp (which means that applet can read any files in /tmp, in
regards to your UNIX identity)
acl.write=/tmp (which means that applet can write any files in /tmp in
regards to your UNIX identity)
The appletviewer does not check for .. occuring in the pathname. So,
trying to access /etc/passwd fails with a SecurityExceptions, thus trying
/tmp/../etc/passwd works !
Sun has been notified on April 29 1996, and acknowledged on April
30. Unfortunately, this has not been fixed in JDK 1.02.
Please see http://www.infobiogen.fr/people/claude/java/secbug.htm for
an example.
--
------------------------------------------------------------------------------
Claude Scarpelli | Defenestrate: to exit a window
INFOBIOGEN ::= INFOrmatique appliquΘe α | onscreen. (Time International
l'Θtude des BIOmolΘcules et des G╔Nomes | Vol 146, No. 20, Nov 13, 1995)
Follow-Ups: