Date: Mon, 10 Mar 1997 23:39:30 -0800
Message-Id: <199703110739.XAA10079@puffin.eng.sun.com>
From: Marianne Mueller <mrm@Eng>
To: winston_chung@mail.amsinc.com
Subject: signed applets and sneaky cats
Hi Winston,
Sorry that we didn't get your email. We had mailer problems. A
colleague noticed your posting on the comp.lang.java.security and
forwarded it to me.
I'm not able to reproduce the problem you describe below. Can you
please check if you have your current working directory on your
CLASSPATH? If you do have your current working directory on your
classpath, then the writeFile.class will be allowed to run as a
"trusted" local applet. (For more info on the applet security model,
see http://java.sun.com/sfaq/.)
There is a known bug in JDK 1.1 in which an unsigned class in a
CODEBASE uses the same classloader as a signed JAR file that is from
that CODEBASE. However, I don't think this bug (or feature,
depending on your point of view) is what is affecting you, since you
are starting up the appletviewer fresh, and not running some code on
top of a package that was already loaded in with a classloader.
Are the commands you show below the exact commands you are giving the
appletviewer? If you can cut and paste the exact commands you are
using, that helps us try to reproduce the reported bug.
Thanks,
Marianne
JavaSoft security group
> ------- Start of forwarded message -------
> Message-ID: <33206D8E.716A@mail.amsinc.com>
> Date: Fri, 07 Mar 1997 14:33:34 -0500
> From: Winston Chung <winston_chung@mail.amsinc.com>
> Reply-To: winston_chung@mail.amsinc.com
> Organization: AMS
> Newsgroups: comp.lang.java.security,comp.lang.java.misc,comp.lang.java.advocacy
> Subject: Security bug in JDK 1.1 appletviewer
>
> The following bug report was sent to java-security@java.sun.com on
> 3/5/97. I haven't received any response from Javasoft/SUN yet. It is
> posted here as a warning to people working in this area. As you can see
> from the following report, the appletviewer may confuse an applet from
> the network with a class file on your local disk. This is especially
> dangerous to developers who have java class files on their local
> filesystems. No one has to hack your machine, if a class name conflist
> exists, you could shoot yourself.
> Beware!!
>
> -------------- bug report sent to java-security@java.sun.com 3/5/97
> --------------------
>
> I discovered a security bug with JDK 1.1 appletviewer. It apparently
> did not implement correctly the name space separation of Java class
> files. As a result, it allowed remote applets to write files to local
> disk.
>
> Here is a simple illustration based on your signed applet example:
> 1. Copy http://java.sun.com/security/signExample/writeFile.java to
> a
> local directory.
> 2. Edit the Java file and replace "Cats can hypnotize you .." with
> "Sneaky cats can hypnotize you ..", just to make them different.
> 3. javac writeFile.java to compile it.
> 4. appletviewer http://java.sun.com/security/signExample/writeFile.html
>
> 5. Guess what, appletviewer writes the file "Sneaky cats ..."
>
> The problem was discovered on a NT 4.0 system. I expect to see the same
> bug on Windows 95, and perhaps other platforms and hotjava.
>
> Cheers,
>
> Winston Chung
> Center for Advanced Technologies
> American Management Systems, Inc.
> winston_chung@mail.amsinc.com
>
> ------- End of forwarded message -------
>