OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Daniel Kasmeroglu (daniel.kasmerogluweb.de)
Date: Fri Aug 24 2001 - 17:58:58 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    During work I've found out that the combination of the
    Java Plugin 1.4 with the JRE 1.3 doesn't handle
    certificates properly. An applet signed with an
    outdated certificate shouldn't be able to get access to
    the filesystem on the client machine. However this
    happens when using the named combination. So my
    applet was able to do some filesystem operations
    without a valid certificate. For better bugtracking I've
    generated some files (HTML,JSP,Applet,Certificate)
    to reproduce this problem.

    Here you'll find these files:
      http://user.cs.tu-berlin.de/~raptor/SecurityFault/

    Starting point is the file SecurityFault.html .If you got
    JBuilder a corresponding project file is included.