Hello this is the mail I just received (in french), Go to check by yourself, we can see the Hard drives of some people on the net http://www.brumleve.com/BrownOrifice/ Sorry for posting this on this mailing-list, but I've thought this could interest some people -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Titre: Grave faille dans le navigateur Netscape (toutes versions, toutes plateformes) Date : 08-08-2000 Source: BUGTRAQ Objet: Tous Description: Le navigateur Netscape (toutes versions) poss�de une grave faille de s�curit� dans la machine virtuelle java permettant � une applet Java malicieuse de lire n'importe quel fichier sur le disque et de devenir serveur HTTP, transformant Netscape Navigator en un serveur HTTP donnant acc�s � distance � tous les fichiers du disque. Un programme de d�monstration, app�l� BOHTTPD, est disponible (ainsi que son source). Il est probable que cette faille (et les variations autour) sera exploit�e de mani�re tr�s large dans les mois qui suivent. Parade : Aucune connue a part d�sactiver Java. Des variations d'applet malicieuses envoyant les fichiers via des posts HTTP plutot que d'etre elle meme serveurs sont � pr�voir, ce qui permet de contourner les firewall. Risque: Atteinte � la confidentialit� � distance Exploitation: Disponible et publique Avis originel: Hi all, This probably isn't ripe for release yet, given that Netscape hasn't fixed it yet, but unfortunately the whole world knows about it now that it's been on SlashDot. Basically, an unsigned Java applet in Netscape can read any file on the system AND act as a web server, serving those files to anywhere in the world. This is due to a bug in Java and a bug in Netscape. http://www.brumleve.com/BrownOrifice/ Ciao, Chris. ___ __ _ / __// / ,__(_)_ | Chris Wilson <[EMAIL PROTECTED]> | Phone: 01223 503 190 | / (_ / ,/ _/ /_ | Unix Systems & Network Engineer | RITC (Cambridge) Ltd | _//_/_/_//_/___/ +-- Perl/C/Web/Java Programming --+ Cambridge CB3 0DG UK | -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.0 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE5j8FycbJ8vksDG0YRAopgAKCSS2MPPjPEEDtfRl/8jxWqKv5Y4QCdHHnm 8PODSeMGQqQvp+w/wClYtx8= =piCk -----END PGP SIGNATURE----- Cet avis est sign� avec la cl� PGP (DSA) de [EMAIL PROTECTED] La cl� est disponible sur https://www.hsc.fr/veille/veille.asc ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
