Bugtraq mailing list archives
Applets listening on Sockets in Java
From: wright () qucis queensu ca (Tim Wright)
Date: Fri, 12 Feb 1999 15:32:22 -0500
<alx () acm org> and I recently explored the "security hole" in Java where an applet can listen on a port, and accept connections from any machine, rather than just the machine from which the applet was down-loaded. The code which was posted to BugTraq does appear to exhibit this behavior. However, on closer inspection the posted code only created a class to listen on a socket, and did not call the method to accept connections from that socket. It turns out that the SecurityException is (correctly) thrown during the accept method call. The server and client code we used follow. It was tested in Netscape 4.06 for WindowsNT. It is important to notice that we hard coded the machine which the applet would run into the client. Tim http://stl.qucis.queensu.ca/~wright There are no constants in life, only Variables which haven't changed their value in a while. There are no Variables in life, We life in a continuous stream of short lived constants. // the applet server - listens on the socket import java.applet.*; import java.awt.*; import java.io.*; import java.net.*; /** * This type was created in VisualAge. */ public class SocketListener extends Applet { /** * This method was created in VisualAge. */ public void init() { ServerSocket ss; try { ss = new ServerSocket(7000); } catch (IOException ioe) { System.err.println("error, cannot create socket"); return; } System.err.println("created server socket"); while (true) { try { System.err.println("waiting for connection"); Socket s = ss.accept(); System.err.println("accepted connection from "+s.getInetAddress()); DataInputStream pr = new DataInputStream(s.getInputStream()); System.err.println("read:"+ pr.readLine()); pr.close(); } catch (IOException ioe) { } } } } // the applet client - connects to the socket import java.net.*; import java.io.*; public class SocketConnector { public SocketConnector() { super(); } public static void main(java.lang.String[] args) { try { Socket s=new Socket("stl.qucis.queensu.ca",7000); PrintWriter dot=new PrintWriter(s.getOutputStream()); dot.print("hi there"); s.close(); } catch (Exception e) { System.err.println("exception occured"); e.printStackTrace(); } } }
Current thread:
- Re: Microsoft Access 97 Stores Database Password as Plaintext, (continued)
- Re: Microsoft Access 97 Stores Database Password as Plaintext Stephen M. Milton (Feb 08)
- Re: Microsoft Access 97 Stores Database Password as Plaintext Jim Paris (Feb 09)
- Re: Microsoft Access 97 Stores Database Password as Plaintext Jim Paris (Feb 09)
- SECURITY: new wu-ftpd packages available (fwd) RHS Linux User (Feb 09)
- Re: SECURITY: new wu-ftpd packages available (fwd) Ronald Wahl (Feb 10)
- Pro/wuFTPD DoS (Was: Re: SECURITY: new wu-ftpd packages available Ken Williams (Feb 11)
- Re: Microsoft Access 97 Stores Database Password as Plaintext Stephen M. Milton (Feb 08)
- Re: Microsoft Access 97 Stores Database Password as Plaintext Billy Naylor (Feb 12)
- Re: Microsoft Access 97 Stores Database Password as Plaintext Ian Smith (Feb 12)
- Applets listening on Sockets in Java Tim Wright (Feb 12)
- Applets listening on Sockets in Java Lincoln Stein (Feb 13)
- Re: Applets listening on Sockets in Java Tim Wright (Feb 15)
- Re: Microsoft Access 97 Stores Database Password as Plaintext Michael Nelson (Feb 12)