Multiple Vendors java.net.URLConnection Applet Direct Connection Vulnerability
BID:1336
Info
Multiple Vendors java.net.URLConnection Applet Direct Connection Vulnerability
| Bugtraq ID: | 1336 |
| Class: | Boundary Condition Error |
| CVE: |
CVE-2000-0563 |
| Remote: | Yes |
| Local: | Yes |
| Published: | Jun 10 2000 12:00AM |
| Updated: | Jul 11 2009 02:56AM |
| Credit: | Original bug posted to Bugtraq by Ben Mesander <[email protected]> on April 16, 2000. Additional information provided by Hiromitsu Takagi <[email protected]> on June 10, 2000. |
| Vulnerable: |
Alexander Clauss & iCab Company iCab 2.0 pre |
| Not Vulnerable: | |
Discussion
Multiple Vendors java.net.URLConnection Applet Direct Connection Vulnerability
The security model of Apple Mac OS Runtime Java (MRJ) is ignored in the function java.net.URLConnection. Therefore, it is possible to connect directly to any host whereas an applet should only be able to connect to the host that it originated from.
Hiromitsu Takagi <[email protected]> illustrates in the following article the dangers of any host being accessed:
http://java-house.etl.go.jp/ml/archive/j-h-b/033470.html
A malicious website operator could set up applets which could lend itself to download sensitive information in any data format given that the file and path is known.
This vulnerability depends on the combination of MRJ and browser version the system is running. To check whether or not your machine is vulnerable, make note of what version of browser and MRJ you are running and visit the following URL:
http://java-house.etl.go.jp/ml/archive/j-h-b/033471.html
The security model of Apple Mac OS Runtime Java (MRJ) is ignored in the function java.net.URLConnection. Therefore, it is possible to connect directly to any host whereas an applet should only be able to connect to the host that it originated from.
Hiromitsu Takagi <[email protected]> illustrates in the following article the dangers of any host being accessed:
http://java-house.etl.go.jp/ml/archive/j-h-b/033470.html
A malicious website operator could set up applets which could lend itself to download sensitive information in any data format given that the file and path is known.
This vulnerability depends on the combination of MRJ and browser version the system is running. To check whether or not your machine is vulnerable, make note of what version of browser and MRJ you are running and visit the following URL:
http://java-house.etl.go.jp/ml/archive/j-h-b/033471.html
Exploit / POC
Multiple Vendors java.net.URLConnection Applet Direct Connection Vulnerability
Hiromitsu Takagi <[email protected]> has set up the following web page to demonstrate this vulnerability:
http://java-house.etl.go.jp/~takagi/java/test/urlconnection-direct/Test.html
Hiromitsu Takagi <[email protected]> has set up the following web page to demonstrate this vulnerability:
http://java-house.etl.go.jp/~takagi/java/test/urlconnection-direct/Test.html
Solution / Fix
Multiple Vendors java.net.URLConnection Applet Direct Connection Vulnerability
Solution:
Currently the SecurityFocus staff are not aware of any vendor supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected].
Solution:
Currently the SecurityFocus staff are not aware of any vendor supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected].
References
Multiple Vendors java.net.URLConnection Applet Direct Connection Vulnerability
References:
References:
- Danger of Security Defect of Any Host Being Accessed (Hiromitsu Takagi)
- java.net.URLConnection Bug Test (Hiromitsu Takagi)
- Warning: Security Holes Found in URLConnection of MRJ and IE of Mac OS (Hiromitsu Takagi)