EXTREME weirdness - applet writing without permissions
Stefan Reich
stefan.reich.maker.of.eye at googlemail.com
Mon Mar 17 16:29:12 UTC 2014
Hi folks,
here is something really really weird. I have this applet:
http://tinybrain.de:8080/tb-applet/chat-applet.php
with this source code (you can verify!):
<applet id="theapplet" code="net.luaos.tb.tb16.ComputerChatApplet.class"
width="100%" height="300" alt="Java Applet" archive="magic.jar?3195969">
<!--<param name="permissions" value="all-permissions" />-->
</applet>
</div>
Clearly, all-permissions is just a comment. I also get no security dialog
or anything, so it's a SANDBOXED applet.
However, I can clearly see it accessing my disk. I enter "hello" in the
chat field, and instantly, a file in ~/.tinybrain is created on my
partition.
By an untrusted applet.
How's it possible?
Process dump:
stefan 746 32001 0 17:22 ? 00:00:00
/usr/lib/firefox/plugin-container
/usr/lib/jvm/java-7-openjdk-i386/jre/lib/i386/IcedTeaPlugin.so -greomni
/usr/lib/firefox/omni.ja -appomni /usr/lib/firefox/browser/omni.ja -appdir
/usr/lib/firefox/browser 32001 true plugin
stefan 754 746 1 17:22 ? 00:00:04
/usr/lib/jvm/java-7-openjdk-i386/bin/java
-Xbootclasspath/a:/usr/share/icedtea-web/netx.jar:/usr/share/icedtea-web/plugin.jar
-classpath /usr/lib/jvm/java-7-openjdk-i386/lib/rt.jar
sun.applet.PluginMain
/tmp/icedteaplugin-stefan/746-icedteanp-plugin-to-appletviewer
/tmp/icedteaplugin-stefan/746-icedteanp-appletviewer-to-plugin
Note: I also use signed applets, using the same .jar, on other pages. Maybe
that slips through to this applet? But still, it's totally out of spec that
this applet can write stuff to disk, or is it?
Cheers,
Stefan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.openjdk.java.net/pipermail/distro-pkg-dev/attachments/20140317/93aed7b8/attachment-0001.html>
More information about the distro-pkg-dev
mailing list