November 24, 2000
Lotus Notes Client R5 is a messaging and collaboration tool that contains a built in web browser. The web browser implements a Java Virtual Machine (VM) designed specifically for Lotus Notes. A security vulnerability exists in the Execution Control List (ECL) feature within the Java VM that may allow a third party intruder to verify the existence of files on the system. The ECL utilizes a much more lenient ruleset when accessing local files than the standard Java security model implemented by JDK 1.1 which prohibits any access to local files. The ECL will present the user with a dialogue box whenever he/she attempts to read an existing local file if the getSystemResource() method of the java.lang.ClassLoader class is used. At this point, the user can either authorize execution or abort the operation.
By observing the time elapsed during execution, it is possible to verify the existence of files on the target machine through a specially crafted java applet. If a malicious website operator were to host such a java applet on their site, they would be able to determine what files exist on the visitor's systems.
Currently the SecurityFocus staff are not aware of any vendor supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: firstname.lastname@example.org.
Discovered by Yasuyuki Endo and Hiromitsu Takagi and posted to Bugtraq on November 24, 2000.
Copyright © Symantec Corporation.
Permission to redistribute this alert electronically is granted as long as it is not edited in any way unless authorized by Symantec Security Response. Reprinting the whole or part of this alert in any medium other than electronically requires permission from email@example.com
The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.
Symantec, Symantec products, Symantec Security Response, and firstname.lastname@example.org
are registered trademarks of Symantec Corp. and/or affiliated companies in the United States and other countries. All other registered and unregistered trademarks represented in this document are the sole property of their respective companies/owners.