Subject: [NT] IE/Outlook java security vulnerability exposes local files Date: Wed, 18 Oct 2000 21:14:23 +0200 IE/Outlook java security vulnerability exposes local files ------------------------------------------------------------------------ SUMMARY There is a security vulnerability in IE 5.5/Outlook/Outlook Express, which allows reading of local files, arbitrary Intranet URLs and local directory structure after viewing a web page or reading a malicious HTML message. DETAILS The lies in the ability of specifying arbitrary codebase for an applet loaded from tag and a jar file. Applets may read URLs from their codebase and communicate with hosts from the same codebase. The following code: Sets the applet's codebase to file:///c:/. This is not a Java language problem and supposedly not a problem in Microsoft's VM but rather a problem in the way codebase is set by IE. Exploit: The code is: ---------javacodebase1.html------------------------------------------ --------------------------------------------------------------------- --------gjavacodebase.java------------------------------------------- ..... try { u = new URL(getParameter("URL")); InputStream is=u.openStream(); byte ba[]=new byte[1000]; int l=is.read(ba); InputStream os=u.openConnection().getInputStream(); String s1=new String(ba,0,l); print(u.toString()); print(s1); } ...... --------------------------------------------------------------------- Workaround: Disable Java. Demonstration: A live demonstration is available at: http://www.guninski.com/javacodebase1.html ADDITIONAL INFORMATION The information has been provided by Georgi Guninski. ======================================== DISCLAIMER: The information in this bulletin is provided "AS IS" without warranty of any kind. In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.