LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 08-10-2000, 04:25 PM   #1
jeremy
root
 
Registered: Jun 2000
Distribution: Debian, Red Hat, Slackware, Fedora, Ubuntu
Posts: 13,597

Rep: Reputation: 4080Reputation: 4080Reputation: 4080Reputation: 4080Reputation: 4080Reputation: 4080Reputation: 4080Reputation: 4080Reputation: 4080Reputation: 4080Reputation: 4080
Arrow


Sorry guys this is a little delayed. I have been extremely busy.

A flaw in Netscape Communicator's implementation of Java allows malicious applets to read any resource reachable via a URL from the local machine by using the netscape.net.URLConnection and netscape.net.URLInputSteam classes. This allows malicious applets to read local files as well as download data from hosts that would otherwise could be protected by a firewall.

An untrusted applet normally is no allowed to read or write to the local file system, or to open network connections to any machine other than that from which it was downloaded.. Security sensitive classes such as FileInputStream() , RandomAccessFile(), or Socket() normally check whether a class can read from a local file by calling the SecurityManager.checkRead() method or whether it connect to other hosts by calling the SecurityManager.checkConnect() method.

Netscape's netscape.net.URLConnection and netscape.net.URLInputStream classes seem to ignore or not perform these checks when passed an URLs. Thus malicious classes and read local files using URLs of the type "file://".

If the machine running the malicious applet is behind a firewall it will also be able to download resources that can be accessed via a URL, such as web server ("http://" or "https://) or FTP servers ("ftp://"), that the attacker in control of the machine from which the applet was downloaded could not. In this way a malicious applet could be used to penetrate a firewall.

Basically this turns Netscape into a file server. Check out http://www.brumleve.com/BrownOrifice/ for an interesting exploit.
 
Old 08-18-2000, 12:56 AM   #2
jeremy
root
 
Registered: Jun 2000
Distribution: Debian, Red Hat, Slackware, Fedora, Ubuntu
Posts: 13,597

Original Poster
Rep: Reputation: 4080Reputation: 4080Reputation: 4080Reputation: 4080Reputation: 4080Reputation: 4080Reputation: 4080Reputation: 4080Reputation: 4080Reputation: 4080Reputation: 4080
Update

Netscape released 4.75 which should fix the problem. It is available at ftp://ftp.netscape.com/pub/communica...plete_install/.
 
Old 08-18-2000, 01:37 AM   #3
bickford
Member
 
Registered: Jun 2000
Location: SUNY Buffalo
Posts: 79

Rep: Reputation: 15
Well that's good to know, but the real question is will you use Internet Explorer for Linux when it's released? =)
 
Old 08-18-2000, 06:43 AM   #4
jeremy
root
 
Registered: Jun 2000
Distribution: Debian, Red Hat, Slackware, Fedora, Ubuntu
Posts: 13,597

Original Poster
Rep: Reputation: 4080Reputation: 4080Reputation: 4080Reputation: 4080Reputation: 4080Reputation: 4080Reputation: 4080Reputation: 4080Reputation: 4080Reputation: 4080Reputation: 4080
Probably not. But I probably won't use netscape either. Mozilla is getting more and more stable with every new milestone. By the time they release it, it may be the only browser I use. If you haven't tried it yet I highly recommend it.
 
Old 08-22-2000, 08:03 PM   #5
jeremy
root
 
Registered: Jun 2000
Distribution: Debian, Red Hat, Slackware, Fedora, Ubuntu
Posts: 13,597

Original Poster
Rep: Reputation: 4080Reputation: 4080Reputation: 4080Reputation: 4080Reputation: 4080Reputation: 4080Reputation: 4080Reputation: 4080Reputation: 4080Reputation: 4080Reputation: 4080
Just a quick follow-up

After using Netscape 4.75 for a little while now I have to say it is considerably faster and quite a bit more stable (I was using 4.73 previously). I highly recommend the upgrade!
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Nokia Communicator 9500 sync software? kwbolte Linux - Laptop and Netbook 6 04-20-2006 08:30 AM
ERROR The requested URL could not be retrieved While trying to retrieve the URL: /re Niceman2005 Linux - General 1 06-29-2005 09:51 AM
daunting task - read wml input, insert variables into URL, DL page, parse, write file jeffreybluml Programming 1 05-12-2005 06:31 AM
REDHAT 6.0 Netscape Communicator Probs chilibowl Linux - Networking 1 04-11-2003 01:52 AM
How to download Netscape Communicator 4.77 (in rpm format) from Redhat? john lee Linux - Newbie 2 07-10-2001 06:17 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 06:47 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration