From RISKS:
---------------------------------------------------------------------- Date: Mon, 22 Apr 96 17:37:54 +0200 From: goldstei@iamexwi.unibe.ch (TERMINATOR) Subject: Java security/privacy bug We have found a privacy/security bug in the Java implementation of the Netscape Navigator. It is very easily possible for an applet to find out the pathname of the directory in which the Netscape Navigator was started. This information could then be sent back to a CGI program for logging. Clearly this information should not be available to an applet, as is indicated by the fact that applets are prevented from reading the "user.home" and "user.dir" system properties. When the Netscape Navigator is run under the Windows 95 OS, the pathname usually does not contain any critical information. However, when the Navigator is run under a multi-user network OS, such as UNIX, the pathname often contains the e-mail and/or login name of the user. In addition, the pathname might reveal details about the topology of the user's network, which an experienced hacker might be able to exploit. There are two ways to protect yourself from this problem: Either start up the Netscape Navigator in a directory whose pathname does not reveal any critical information, or disable Java altogether (Options | Security Preferences | General). A system administrator can protect his network by configuring the HTTP proxy server not to retrieve Java ".class" files. This bug is present in at least the following versions of the Navigator: 2.0 2.01 3.0b2 2.0GoldB1 2.01Gold and in the implementations for at least the following platforms: SunOS 4.1.2, 4.1.3, 4.1.4 SunOS 5.3, 5.4, 5.5 Windows 95, Windows NT IRIX 5.2, 5.3 HP-UX A.0903, A.0905 Linux 1.2.10, 1.2.13 FreeBSD 2.1.0-RELEASE OSF1 V3.2 We have not tested whether this bug also exists in Sun's HotJava browser. We will release full details of the bug as soon as Sun and Netscape have issued patches which fix the problem. Full details have been sent to Sun and Netscape. This announcements has also been posted to the "comp.lang.java" newsgroup and has been sent to CERT. Daniel Abplanalp and Stephan Goldstein (goldstei@iamexwi.unibe.ch) Berne, Switzerland ------------------------------ ------------------------------------------------------------------------- Steven Weller | Weller's three steps to Greatness: | 1. See what others cannot | 2. Think what others cannot stevenw@best.com | 3. Express what others cannot