[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RISKS: Java security/privacy bug

To: [email protected]
Subject: RISKS: Java security/privacy bug
From: [email protected] (Steven Weller)
Date: Tue, 23 Apr 1996 17:15:41 -0700
Sender: [email protected]

>From RISKS:

----------------------------------------------------------------------

Date: Mon, 22 Apr 96 17:37:54 +0200
From: [email protected] (TERMINATOR)
Subject: Java security/privacy bug

We have found a privacy/security bug in the Java implementation of the
Netscape Navigator. It is very easily possible for an applet to find out the
pathname of the directory in which the Netscape Navigator was started.  This
information could then be sent back to a CGI program for logging. Clearly
this information should not be available to an applet, as is indicated by
the fact that applets are prevented from reading the "user.home" and
"user.dir" system properties.

When the Netscape Navigator is run under the Windows 95 OS, the pathname
usually does not contain any critical information. However, when the
Navigator is run under a multi-user network OS, such as UNIX, the pathname
often contains the e-mail and/or login name of the user. In addition, the
pathname might reveal details about the topology of the user's network,
which an experienced hacker might be able to exploit.

There are two ways to protect yourself from this problem: Either start up
the Netscape Navigator in a directory whose pathname does not reveal any
critical information, or disable Java altogether (Options | Security
Preferences | General). A system administrator can protect his network by
configuring the HTTP proxy server not to retrieve Java ".class" files.

This bug is present in at least the following versions of the Navigator:

        2.0
        2.01
        3.0b2
        2.0GoldB1
        2.01Gold

and in the implementations for at least the following platforms:

        SunOS 4.1.2, 4.1.3, 4.1.4
        SunOS 5.3, 5.4, 5.5
        Windows 95, Windows NT
        IRIX 5.2, 5.3
        HP-UX A.0903, A.0905
        Linux 1.2.10, 1.2.13
        FreeBSD 2.1.0-RELEASE
        OSF1 V3.2

We have not tested whether this bug also exists in Sun's HotJava browser.

We will release full details of the bug as soon as Sun and Netscape have
issued patches which fix the problem.

Full details have been sent to Sun and Netscape. This announcements has also
been posted to the "comp.lang.java" newsgroup and has been sent to CERT.

Daniel Abplanalp and Stephan Goldstein ([email protected])
Berne, Switzerland

------------------------------

-------------------------------------------------------------------------
Steven Weller                      |  Weller's three steps to Greatness:
                                   |     1. See what others cannot
                                   |     2. Think what others cannot
[email protected]                   |     3. Express what others cannot

Prev by Date: Re: Rabbi Hier Testimony
Next by Date: Re: PEP Announcement (fwd)
Prev by thread: Re: Rabbi Hier Testimony
Next by thread: "Separate but equal" as a racist doctrine
Index(es):
- Date
- Thread