> as you know, there are presently severe Java security problems. I wasn't aware of that. (Not that it makes any practical difference to me, as the only thing I have that understands Java at all is made of protoplasm, not silicon.)
> I am also not so sure how a Java applet could possibly check whether > NTPD is installed on the local computer (where the browser runs). Installed, probably not, at least not without making nonportable assumptions like "installed from the Debian package" or "installed in /usr/local/sbin". Configured, likewise, though there probably is more commonality in config file location than in NTP executable location. > [...] as far as I remember, Java applets are /not/ normally allowed > to contact network sockets on the browser's local computer. That's actually not relevant, because, at least as far as I can tell, there is no java involved. I see two javascript scripts, but no java. What's more, one of the scripts is broken. They come from src="/pub/TWiki/JQueryPlugin/jquery-all.js" and src="scripts.js". The former exists and fetches fine; it's relatively unreadable, because it's had newlinews and much of the whitespace crunched out. However, it's also over 90K, and I'm not up to reading that much JS. Looking for NTP (case-insensitive, of course) finds only one hit, which is a false positive; searching for 123 finds nothing at all. So if there's any NTP-related code in here it is going out of its way to hide. The latter, fetched as ntp.br/NTP/scripts.js because it's a relative path, returns a 302 redirect to Location: http://ntp.br/bin/oops/NTP/scripts/Js?template=oopsaccessdenied;def=no_such_web;param1=view;template=oopsaccessdenied;def=no_such_web;param1=view which is a 302 to www.ntp.br/NTP/WebHome, which is text/html (and which, amusingly enough, also includes a text/javascript script calling on that same scripts.js - it's on www.ntp.br, not ntp.br, but when fetched it produces a 302 to the same place as the ntp.br version). > I could think of several easy ways to verify NTPD installation, e.g., > a simple ntpdq call or checking logs. If you can't speak to 127.0.0.1 port 123, I should certainly home you can't run arbitrary programs like ntpdq. (Also, what's ntpdq? None of my NTP installs have anything by that name.) Checking logs depends on making assumptions about where the NTP daemon logs and what its log entries look like. It might be kinda-sorta-mostly accurate, but probably no better than that. > Maybe Antonio can briefly describe what the applet does and how it > works? Indeed. I'd also be interested to hear where it's hiding in that VerificadorNTP page. /~\ The ASCII Mouse \ / Ribbon Campaign X Against HTML [email protected] / \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B _______________________________________________ pool mailing list [email protected] http://lists.ntp.org/listinfo/pool
