Java Plugin 1.4 with JRE 1.3 -> Ignores certificates.
From: Daniel Kasmeroglu (daniel.kasmeroglu@web.de)Date: 08/25/01
- Previous message: Hardy Krause: "Tool prevents logging of default.ida (IIS / NT)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: 24 Aug 2001 22:58:58 -0000 Message-ID: <20010824225858.19674.qmail@securityfocus.com> From: Daniel Kasmeroglu <daniel.kasmeroglu@web.de> To: bugtraq@securityfocus.com Subject: Java Plugin 1.4 with JRE 1.3 -> Ignores certificates.
During work I've found out that the combination of the
Java Plugin 1.4 with the JRE 1.3 doesn't handle
certificates properly. An applet signed with an
outdated certificate shouldn't be able to get access to
the filesystem on the client machine. However this
happens when using the named combination. So my
applet was able to do some filesystem operations
without a valid certificate. For better bugtracking I've
generated some files (HTML,JSP,Applet,Certificate)
to reproduce this problem.
Here you'll find these files:
http://user.cs.tu-berlin.de/~raptor/SecurityFault/
Starting point is the file SecurityFault.html .If you got
JBuilder a corresponding project file is included.
- Previous message: Hardy Krause: "Tool prevents logging of default.ida (IIS / NT)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
