Re: Unsecured server in applets under Netscape

[bve () QUADRIX COM (BVE)]

   Date:        Tue, 2 Feb 1999 13:42:32 -0800
   From:        Giao Nguyen <grail () CAFEBABE ORG>

   Just for kicks, I wrote a sample applet that listened on a socket. I
   discovered that when the applet was loaded under Netscape (as tested
   with version 4.5), any hosts could then connect to the machine running
   this applet. I won't bore anyone with the code because it's so trivial
   that a novice to Java should be able to write it with ease after
   reading some documentation.

   According to Java in a Nutshell, 2nd edition, p. 139:

   * Untrusted code cannot perform networking operations, exception
   certain restricted ways.  Untrusted code cannot:
     [...]
     - Accept network connections on ports less than or equal to 1024 or
       from any host other than the one from which the code itself was
       loaded.

   While the port number restriction is held by the VM, the point of
   origin restriction is not held at all.


The error in your analysis is most likely that you were running Java code from
a class file installed on your local machine, as opposed to one which is
downloaded from a web site somewhere.  The former is considered "trusted,"
while the latter is "untrusted."

Any class file you've compiled on your local machine will be considered
"trusted," and will be allowed to do pretty much anything it wants.  Similarly,
any class file you've copied to your hard drive, as opposed to downloading from
within a web browser, will be considered "trusted."

--

                                     -- Bill Van Emburg
                                        Quadrix Solutions, Inc.
Phone: 732-235-2335, x206               (bve () quadrix com)
Fax:   732-235-2336                     (http://quadrix.com)
        "You do what you want, and if you didn't, you don't"