Re: loophole in a Java applet security feature

schemers@Eng
Wed, 8 Jul 1998 19:15:10 -0700 (PDT)

Date: Wed,  8 Jul 1998 19:15:10 -0700 (PDT)
From: schemers@Eng
To: see chin <scw21@cus.cam.ac.uk>
Subject: Re: loophole in a Java applet security feature
In-Reply-To: <Pine.SOL.3.96.980708191413.1485F-100000@ursa.cus.cam.ac.uk>

see chin writes:
> I would like to point out a loophole in the Java applet security feature
> that a Java applet cannot open connections to systems other than its
> original host.
...
> Therefore, the gateway daemon allows the applet to connect anywhere ---
> circumventing the applet security feature that prevents an applet to make
> connections to systems other than its original host.
>

That is certainly not a loop hole. The client can't instruct the
server to do anything that the server could not do itself, so why
would this be a security problem? The scenario you describe is
certainly what many people do today. The server that the applet is
loaded from is used as a proxy/gateway to other servers, like database
servers, etc.

If the applet itself is allowed to connect to any host then there are
several holes that occur that could not happen using the server as
a gateway:

the client might be inside a firewall, thus it can connect to local
hosts that the original server could not connect to.

This is a major concern for places with firewalls. Even if you do not have
a firewall a further concern is:

if the client itself connects to a system that is logging IP
addresses (for auditing reasons) then it looks like the client host
initiated the connection and there is no way to detect that it was
an applet that was loaded from another server. If the server is
used as a gateway then the audit trail would point back to the
server.

i.e., an applet could get downloaded to your system, and start probing
ports on all your local systems, gathering up information that can
be used to launch attacks and break-in to the system. Someone trying
to track down the attack would assume the attack is coming from the
client machine (because it is!), and there might not be anyway to
find out which server the applet original came from.

roland