www.WhosWhere.com selling access to my employer's passwd file
Blake Coverett
blake at bcdev.com
Mon Apr 29 22:40:15 PDT 1996
> We go to great pains to keep from revealing your e-mail address to
> a web site. Several of the fixes in 2.01 were for these sorts of problems.
> Given a current version of Netscape Navigator, how would a spam-king
> steal your e-mail address from his web page?
I just noticed an attack vector that I wasn't aware of previously. If the browser
is running with CLASSPATH set to include the JDK classes.zip applets are
suddenly able to enumerate all the system properties.
On my system user.name is set to '?', but user.dir and user.home are both
available.
This isn't a huge exposure, but it is unsettling.
-Blake (off to poke around further)
More information about the cypherpunks-legacy
mailing list