[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Possible Java hack.

To: [email protected]
Subject: Possible Java hack.
From: [email protected] (Stephen P. Gibbons)
Date: Sat, 27 Jan 1996 01:12:28 -0700
Cc: [email protected]
Sender: [email protected]

I had a brainstorm this morning, and I think that I may have a possible
hack against Java that might circumvent a few network access policies and
the firewalls that support them.

Looking at the Java APIs it seems pretty likeley to me that when a name to
address lookup is performed, all it does is call gethostbyname() or the
equivilant.

If this is the case (and I don't have a source license at this point, or
even a system that will run Java) there is the possiblility that a sytem
with control of a web server and a DNS server could coerce a Java client
into initiating TCP connections to clients other than the system that
provided the applet (which should be a prohibited behavior, as I read the
specs.)

This is still at the WAG stage, since I don't have access to source code
and have not received confirmation (nor denial) from any of the vendors
that I have contacted, but I'd appreciate feedback (positive or negative)
from the list(s).

FWIW, my WAGs have about an 80% hit ratio, but this is the first that I've
posted without confirmation.

ObCrypto:  _When_ will DNS be secured via PKE?

--
[email protected]

Follow-Ups:
- Re: Possible Java hack.
  - From: "Perry E. Metzger" <[email protected]>

Prev by Date: Re: Open NNTP servers and logging
Next by Date: Encrypted IP tunneling
Prev by thread: Open NNTP servers and logging
Next by thread: Re: Possible Java hack.
Index(es):
- Date
- Thread