Bugtraq mailing list archives

FW: open socket in java

From: ninja405 () CISI NET (Nin|a405)
Date: Thu, 11 Feb 1999 09:40:51 -0800

Responses should be directed towards matts () atvideo com.

Thanks,
Ninja405

-----Original Message-----
From:   matt [mailto:matts () atvideo com]
Sent:   Wednesday, February 10, 1999 10:42 AM
To:     BUGTRAQ () netspace org
Subject:        re:open socket in java

Some of this stuff does not sound right.  I'm not a security expert, but my
status as a Java Nut leaves me little choice but to wade in, guns blazing...
:) Since I'm dropping into the middle of this thread, I should say that I
assume we are talking about using Java Applets within a browser that has a
proper Java Virtual Machine (JVM) which runs applets in a sandbox.
<some guy wrote>

...Unbenknownst to
the company or the branch office, the applet has actually opened a
listen socket, has accepted a connection from the applet's original
author...

The JVM sandbox (if working normally) only allows socket connections back to
the URL of the http server that the browser got the applet from.  If the
applet is served up by a trusted host, then the bad-guy has to conquer that
host before he can get the private data.  If a user is browsing around the
web, using executable content from a strangers web page to process company
data, well the world will be well served by that company's disappearance
from the market :)
<some other guy replied>

the missing information here that this scenario doesn't contain,
is that the applet's original author must know the host that the
applet is running on, in order to connect to the applet.


The sandbox should prevent such a connection. Did I miss an assumption from
earlier discussion?

This information can be easily sent by the applet to the bad guy
by making a http request - hiding information in the URL. We
implemented this type of communication, allowing a java applet
to communicate with an arbitary server


This does not sound right.  The JVM does not know an http request from any
other kind of socket activity, so it should refuse communications via ports
80 like all the rest, unless the connection is to the applet source URL .
Could the writer please amplify this statement?  Are we talking about Java
or JavaScript?

--
Matthew Sexton (matts () atvideo com) Advanced Technology Video, Inc.
Redmond, Wa 98052 Voice: 425-885-7000 x263 Fax:  425-881-7014

Current thread:

open socket in java nino (Feb 03)
- <Possible follow-ups>
- Re: open socket in java Aviram Jenik (Feb 04)
  - Re: open socket in java Hale (Feb 05)
  - Re: open socket in java Lincoln Stein (Feb 05)
    - Re: open socket in java Tim Wright (Feb 09)
- Re: open socket in java Toby Chamberlain (Feb 04)
- Re: open socket in java Simon Kilvington (Feb 05)
- Re: open socket in java Posick, Steve (Feb 09)
- FW: open socket in java Nin|a405 (Feb 11)
- Re: open socket in java Simon Kilvington (Feb 12)