Re: Applets listening on Sockets in Java

From: Tim Wright (wrightat_private)
Date: Mon Feb 15 1999 - 10:16:05 PST

Next message: John W. Temples: "Re: KSR[T] Advisory #10: mSQL ServerStats"

Previous message: Dave G.: "KSR[T] Advisory #10: mSQL ServerStats"
Maybe in reply to: Lincoln Stein: "Applets listening on Sockets in Java"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Sat, 13 Feb 1999, Lincoln Stein wrote:

> Tim Wright writes:
>  > <alxat_private> and I recently explored the "security hole" in Java
>  > where an applet can listen on a port, and accept connections from any
>  > machine, rather than just the machine from which the applet was
>  > down-loaded.
>  >
>  > The code which was posted to BugTraq does appear to exhibit this
>  > behavior. However, on closer inspection the posted code only created a
>  > class to listen on a socket, and did not call the method to accept
>  > connections from that socket. It turns out that the SecurityException is
>  > (correctly) thrown during the accept method call.
>
> That's with connection-oriented sockets.  What about UDP sockets?

just tested, code attached.

UDP sockets throw an IOException rather than a SecurityExecption, but they
do exhibit correct behaviour in that incoming packets from unauthorized
places are not accepted.

Tim
http://stl.qucis.queensu.ca/~wright

No society has lasted forever, so why do we assume that our
society will?




// Server code

import java.applet.*;
import java.awt.*;
import java.io.*;
import java.net.*;
/**
 * This type was created in VisualAge.
 */
public class SocketListener extends Applet {
	
  /**
   * This method was created in VisualAge.
   */
  public void init() {
    DatagramSocket ss;
    try {
      ss = new DatagramSocket(7000);
    } catch (IOException ioe) {
      System.err.println("error, cannot create socket");
      return;
    }
    System.err.println("created server socket");
    while (true) {
      try {
	System.err.println("waiting for connection");
	DatagramPacket s=new DatagramPacket("            ".getBytes(),10);
	ss.receive(s);
	System.err.println("accepted connection from "+s.getAddress());
	System.err.println("read:"+ s.getData());
      } catch (IOException ioe) {
	System.err.println("IO exception thrown");
      }
    }
  }
}






// Client Code

import java.applet.*;
import java.awt.*;
import java.io.*;
import java.net.*;
/**
 * This type was created in VisualAge.
 */
public class SocketConnector {

  public SocketConnector() {
    super();
  }

  public static void main(java.lang.String[] args) {
    try {
      String message="hi there";
      DatagramPacket dp=new
DatagramPacket(message.getBytes(),message.length());
      dp.setPort(7000);
      dp.setAddress(InetAddress.getAllByName(args[0])[0]);
      (new DatagramSocket()).send(dp);
    }
    catch (Exception e) {
      System.err.println("exception occured");
      e.printStackTrace();
    }
  }
}

Next message: John W. Temples: "Re: KSR[T] Advisory #10: mSQL ServerStats"
Previous message: Dave G.: "KSR[T] Advisory #10: mSQL ServerStats"
Maybe in reply to: Lincoln Stein: "Applets listening on Sockets in Java"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:34:57 PDT