Date: Wed, 8 Jul 1998 19:19:51 +0100 (BST)
From: see chin <scw21@cus.cam.ac.uk>
To: java-security@java.sun.com
Subject: loophole in a Java applet security feature
I would like to point out a loophole in the Java applet security feature
that a Java applet cannot open connections to systems other than its
original host.
I'm building an applet that needs files and images during run-time from
multiple arbitrary sites. So I need to circumvent that Java applet
security feature, and had figured out a solution to compromise that
security feature.
Here's the technique of how to make applets connect to any Internet hosts:
Write all the necessary I/O methods in a Java application, and include a
server-side socket method. Call this Java application the daemon for the
applet. Run the daemon on the server to listen for connection requests
from clients' applets. When an applet is loaded from the same server onto
a browser by a client, if the applet, during run-time, needs any arbitrary
file/image/data or needs to open a connection to an arbitrary site
different from the server site, the applet can connect to the daemon
and pass the URL and parameters to the daemon. Since the daemon is a Java
application and Java application can connect to any site, the daemon can
download the file/image/data at any URL to the applet or act as a gateway
between the applet and any site in that the daemon communicate with the
applet on one side and open connection to any site on the other.
Therefore, the gateway daemon allows the applet to connect anywhere ---
circumventing the applet security feature that prevents an applet to make
connections to systems other than its original host.
Given this loophole of that applet security feature cannot be covered
anyway (one is free to write and distribute such gateway daemons for
server-site administrators to run at their server sites),
and there's no security advantage for having that applet security feature,
perhaps it's a good idea for Sun/JavaSoft to relax or drop that
unnecessarily restrictive applet security feature so that one can build
applet applications that can open connection anywhere more easily and
directly, and let the hosts on the Net screen the accesses that applets
can make instead.
For further details, I can be reached at the signature below. Thanks.
See Chin Woon <scw21@damtp.cam.ac.uk>
Trinity College, University of Cambridge, Cambridge CB2 1TQ, UK
Tel: +44 1223 35 92 93
Fax: +44 1223 33 79 18