Date: 24 Aug 2001 22:58:58 -0000
From: Daniel Kasmeroglu <daniel.kasmeroglu@web.de>
To: bugtraq@securityfocus.com
Subject: Java Plugin 1.4 with JRE 1.3 -> Ignores certificates.
During work I've found out that the combination of the
Java Plugin 1.4 with the JRE 1.3 doesn't handle
certificates properly. An applet signed with an
outdated certificate shouldn't be able to get access to
the filesystem on the client machine. However this
happens when using the named combination. So my
applet was able to do some filesystem operations
without a valid certificate. For better bugtracking I've
generated some files (HTML,JSP,Applet,Certificate)
to reproduce this problem.
Here you'll find these files:
http://user.cs.tu-berlin.de/~raptor/SecurityFault/
Starting point is the file SecurityFault.html .If you got
JBuilder a corresponding project file is included.
