Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Phrack #60: "Java tears down the Firewall"

From: David Lang <david.lang () digitalinsight com>
Date: Fri, 3 Jan 2003 14:25:12 -0800 (PST)
Ok, this then limits the attack to the machine running the browser doesn't
it? Or are you saying that firewalls allow active FTP data connections to
terminate on a different machine then the control connection is from, I
know not all firewalls make this mistake (one more case where a good app
level firewall will win over a stateful firewall)

David Lang

On Fri, 3 Jan 2003, Mikael Olsson wrote:


Date: Fri, 03 Jan 2003 23:07:19 +0100
From: Mikael Olsson <mikael.olsson () clavister com>
To: Marcus J. Ranum <mjr () ranum com>
Cc: fw-wiz <firewall-wizards () honor icsalabs com>
Subject: Re: [fw-wiz] Phrack #60: "Java tears down the Firewall"


"Marcus J. Ranum" wrote:


Mikael Olsson wrote:

- The firewall automagically pokes a hole for this "data channel"
- The server box is suddenly allowed to connect to this
 vulnerable port, through the firewall.


Could the java app proxy to other ports internally? Seems
like a simple exercise for the malcoder.


Ah, no, the java sandbox only allows connections back to the server
that served the applet -- the problem is that this security model
doesn't coexist very well together with the FTP "security model".


--
Mikael Olsson, Clavister AB
Storgatan 12, Box 393, SE-891 28 ÖRNSKÖLDSVIK, Sweden
Phone: +46 (0)660 29 92 00   Mobile: +46 (0)70 26 222 05
Fax: +46 (0)660 122 50       WWW: http://www.clavister.com
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: