Bugtraq mailing list archives
Re: [VulnWatch] The Java applet sandbox and stateful firewalls
From: Florian Weimer <fw () deneb enyo de>
Date: Mon, 01 Aug 2005 14:15:16 +0200
* Dinis Cruz:
Is the Java Sandbox able to create outgoing connections on ports like 445? Also, even if it is possible, if a service like MS-SQL is already binded to 1433, then wouldn't an error be thrown saying something like 'Port already in use'.
This doesn't matter because in the PORT command sent to the FTP-like server, the applet can reference a port which is not controlled by the applet. No checks take place, and it's perfectly possible to specify an already bound port. The firewall has no way to know that the port actually belongs to some other process on the host (not the applet/FTP client), and the sendbox does not examine the contents of TCP data transfers at all. Some NAT devices restrict access to 445/TCP, 139/TCP and a few more ports, but by its nature, this list is incomplete and does not cover all problematic TCP ports.
Current thread:
- The Java applet sandbox and stateful firewalls Florian Weimer (Aug 01)
- Re: [VulnWatch] The Java applet sandbox and stateful firewalls Dinis Cruz (Aug 02)
- Re: [VulnWatch] The Java applet sandbox and stateful firewalls Florian Weimer (Aug 02)
- Re: [VulnWatch] The Java applet sandbox and stateful firewalls Dinis Cruz (Aug 02)