On Wed, Aug 07, 2013 at 04:48:22PM +0300, Georgi Guninski wrote: > > > On Wed, Aug 07, 2013 at 12:36:01PM +0200, [email protected] wrote: > > > > Security researcher Georgi Guninski reported an issue with Java > > > Just to clarify: I haven't report _any_ "issues" to mozilla > since years... > They are not fast in fixing bugs, especially when involving > other vendors. > If I get pissed off, will try to find the dates about > the "issue" in question (suspect since at least 4 years). > > >
looks like it's more than 4 years... from their advisory appears it is bug #406541. Here it is: Date: Mon, 3 Dec 2007 01:43:10 -0800 From: [email protected] To: Subject: [Bug 406541] New: local java applet may read arbitrary files under certain circumstances Do not reply to this email. You can add comments to this bug at https://bugzilla.mozilla.org/show_bug.cgi?id=406541 Summary: local java applet may read arbitrary files under certain circumstances Product: Firefox Version: Trunk Platform: PC OS/Version: Linux Status: NEW Severity: normal Priority: -- Component: Security AssignedTo: [email protected] ReportedBy: [email protected] QAContact: [email protected] Created an attachment (id=291181) --> (https://bugzilla.mozilla.org/attachment.cgi?id=291181) a1.java - compiled a1.class must be saved in /tmp/DumbUglyB1llMarriedDumbUglyB1tch recent trunk has restrictions on what local html can access in bug 402998 Comment #8 someone with sun.com email asked to "post a test" for local applet circumventing restrictions. it is like beating a death horse, but here it is: if the path of the locally saved applet is known at applet compile time, the applet can read any file. note that if the luser saves files in a single directory, a two stage attack may be successful with high probability. suppose the applet is saved in directory: /tmp/DumbUglyB1llMarriedDumbUglyB1tch it should be instantiated like this: <applet codebase="file:///" code="tmp.DumbUglyB1llMarriedDumbUglyB1tch.a1"> </applet> and the applet should contain: /* * This is the path to the applet filename: * */ package tmp.DumbUglyB1llMarriedDumbUglyB1tch; public class a1 extends Applet { -- Configure bugmail: https://bugzilla.mozilla.org/userprefs.cgi?tab=email _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
