From owner-freebsd-java  Tue Mar  5 12:14:41 2002
Delivered-To: freebsd-java@freebsd.org
Received: from mail.3path.com (64.90.179.74.nyinternet.net [64.90.179.74])
	by hub.freebsd.org (Postfix) with ESMTP id BB2EF37B402
	for <freebsd-java@freebsd.org>; Tue,  5 Mar 2002 12:14:11 -0800 (PST)
Received: from there (sysmon1 [192.168.100.51])
	by mail.3path.com (Postfix) with SMTP id 0F55A1FD978
	for <freebsd-java@freebsd.org>; Tue,  5 Mar 2002 15:15:05 -0500 (EST)
Content-Type: text/plain;
  charset="iso-8859-1"
From: Dylan Carlson <absinthe@pobox.com>
Reply-To: absinthe@pobox.com
Organization: r e t r o v e r t i g o
To: freebsd-java@freebsd.org
Subject: Fwd: Java HTTP proxy vulnerability
Date: Tue, 5 Mar 2002 15:11:52 -0500
X-Mailer: KMail [version 1.3]
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Message-Id: <20020305201505.0F55A1FD978@mail.3path.com>
Sender: owner-freebsd-java@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-java.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-java>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-java>
X-Loop: FreeBSD.org

Is this addressed in the BSD JDK?

Cheers,

----------  Forwarded Message  ----------

Subject: Java HTTP proxy vulnerability
Date: 05 Mar 2002 02:32:24 +0100
From: Harmen van der Wal <harmwal@xs4all.nl>
To: bugtraq@securityfocus.com

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===Java HTTP proxy vulnerability===

   Reference  wal-01
   Version    1.0
   Date       March 05, 2002

===Cross references

   Sun Security Bulletin               #00216
   Microsoft Security Bulletin       MS02-013

   Vulnerability identifier     CAN-2002-0058 (under review)
   http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0058

===Classifications

   Java, networking, HTTP
   Web browsers, applets
   Unchecked network access, HTTP proxy connection hijacking

===Abstract problem description

   =Background
The Java security model is designed to allow code from an untrusted
source, usually web applets, to be safely executed.

   =Problem
An applet could do irregular, unchecked HTTP requests.

   =Consequence
Network access restrictions that apply, can be bypassed.
Only systems that have a HTTP proxy configured can be vulnerable.

One particular nasty exploit is where a remote server, aided by a
hostile applet, hijacks a browsers persistent HTTP connection to its
configured HTTP proxy.

===Affected software & patch availability; vendor bulletins

   =Sun

       Bulletin Number:  #00216
       Date:		 March 4, 2002
       Title:		 HttpURLConnection
       http://sunsolve.Sun.COM/pub-cgi/secBulletin.pl
       (At the time of this writing bulletin 216 was not available on
       the website yet.)

   =Microsoft

       Microsoft Security Bulletin  MS02-013
       Java Applet Can Redirect Browser Traffic
       Originally posted: March 04, 2002
       http://www.microsoft.com/technet/treeview/default.asp?
          url=/technet/security/bulletin/MS02-013.asp
       (URL is wrapped, please fix.)

   =Netscape
        Sun JVM (Java Virtual Machine) Issue
        http://home.netscape.com/security/


===Vendor contact
Shortly after I, more or less by coincidence, discovered the issue, I
reported it to Sun on April 07, 2001. They communicated it to their
Java licensees, and coordinated a synchronized response.

   =Free Java implementations
I audited both Kaffe and GNU Classpath class libraries, and to the
best of my knowledge, they are not vulnerable to this issue. Anyone
out there developing a free(TM) Java, please contact me if you have
questions or concerns, and I will be happy to assist you in any way I
can.

===Disclosure policy
I do not plan to release details of the vulnerability, that could make
it easier for crackers to get exploits, before a three month grace
period has expired. Customers should not to assume that the lack of
vulnerability details at this time will prevent the creation of
exploit programs.

===Detailed problem description
No details are provided at this time.
See Disclosure policy.

===PoC-exploit
I supplied Sun with a PoC-exploit, and they passed it on to other
vendors. No further distribution is expected.

===Software I tested/audited myself.
Sun/Blackdown	      1.1.7/8, 1.2.2, 1.3.0/1	linux/win32
Netscape 4.61	      default Java Runtime	linux
MSIE 5.0	      default Java Runtime	win32
HotJava Browser 3.0
Kaffe 1.06
GNU Classpath 0.03

===Acknowledgment
Thanks to the vendors for addressing the issue. Special thanks to
Sun, in particular Chok Poh, for coordinating.

===Disclaimer & Copying
This comes with ABSOLUTELY NO WARRANTY!
Copying in whole and quoting parts permitted.

===History
Version 1.0 is the first release of this document.
Updates    http://www.xs4all.nl/~harmwal/issue/wal-01.txt

===Contact
Author     Harmen van der Wal
Mail	   harmwal@xs4all.nl
PGP	   http://www.xs4all.nl/~harmwal/harmen.pgp.txt

===End===

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE8hBnWqX9LFhm8cvYRAsXwAJ4jr1pm6lTqarPmbZNhuc4gGAwNSACeMIg9
nEyfEY6Us0AxLR0FoKFM/Q0=
=a9rw
-----END PGP SIGNATURE-----

--
Harmen van der Wal - http://www.xs4all.nl/~harmwal/

-------------------------------------------------------

-- 
Dylan Carlson [absinthe@pobox.com]

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-java" in the body of the message