Java Plugin 1.4 with JRE 1.3 -> Ignores certificates.

From: Daniel Kasmeroglu (daniel.kasmerogluat_private)
Date: Fri Aug 24 2001 - 15:58:58 PDT

Next message: Immunix Security Team: "[Immunix-announce] ImmunixOS 7.0 sendmail update"

Previous message: Snow, Corey: "RE: Cisco Security Advisory: CBOS Web-based Configuration Utility Vulnerability"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

During work I've found out that the combination of the 
Java Plugin 1.4 with the JRE 1.3 doesn't handle 
certificates properly. An applet signed with an 
outdated certificate shouldn't be able to get access to 
the filesystem on the client machine. However this 
happens when using the named combination. So my 
applet was able to do some filesystem operations 
without a valid certificate. For better bugtracking I've 
generated some files (HTML,JSP,Applet,Certificate) 
to reproduce this problem.

Here you'll find these files:
  http://user.cs.tu-berlin.de/~raptor/SecurityFault/

Starting point is the file SecurityFault.html .If you got 
JBuilder a corresponding project file is included.

Next message: Immunix Security Team: "[Immunix-announce] ImmunixOS 7.0 sendmail update"
Previous message: Snow, Corey: "RE: Cisco Security Advisory: CBOS Web-based Configuration Utility Vulnerability"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Aug 24 2001 - 16:10:27 PDT