ch30.htm

来自「Maximum Security (First Edition) 网络安全 英文」· HTM 代码 · 共 1,283 行 · 第 1/5 页

<P>So, you're wondering exactly what Java can do to your machine. First, for some
time, people insisted that Java could not in any way access information located on
the hard drive of your computer. Security features within the Java language generally
forbid this from happening. However, one independent researcher, Jim Buzbee, was
able to develop an applet that did access such information. On his Web page (where
you can demo the applet), Buzbee explains:

<DL>
	<DD>In most Java implementations, security policy forbids applets from reading the
	local directory structure. I have discovered that it is possible for an applet, using
	only Java, to determine if specified files exist on the file system of the client
	machine. The applet I have prototyped cannot read or write to the file, but it can
	detect its presence. My applet is then free to surreptitiously e-mail the result
	of the file search to any machine on the Internet, for example MarketResearch@ microsoft.com.
</DL>



<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>Cross Reference:</B></FONT><B> </B>Buzbee's Web page is
	at <A HREF="http://www.nyx.net/~jbuzbee/hole.html"><TT>http://www.nyx.net/~jbuzbee/hole.html</TT></A>.
	
<HR>


</BLOCKQUOTE>

<P>Buzbee's applet is truly extraordinary. It accesses your hard drive and looks
for some commonly known (and jealously protected) files. One is the <TT>/etc/passwd</TT>
file. Another is <TT>MSOffice</TT> (a directory on machines using Microsoft Office).
For some reason, the applet moves quite slowly. However, it is capable of identifying
which files exist on the drive.


<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>Cross Reference:</B></FONT><B> </B>If you want to check
	out the applet for yourself (it does no harm and will not lock your browser), you
	can access it at <A HREF="http://www.nyx.net/~jbuzbee/filehole.html"><TT>http://www.nyx.net/~jbuzbee/filehole.html</TT></A>.
	
<HR>


</BLOCKQUOTE>

<P>The ultimate page for hostile applets is Mark DeLue's. It sports a list of hostile
Java applets and their source code. Some of the more amusing ones include

<UL>
	<LI><TT>NoisyBear.java</TT>--Displays a bear that runs an audio clip. The bear cannot
	be deleted without killing and rebooting the browser.<BR>
	<BR>
	
	<LI><TT>AttackThread.java</TT>--Displays large black windows that the user cannot
	grab or otherwise dispose of. This applet requires that you restart the system or
	the machine. Nasty.<BR>
	<BR>
	
	<LI><TT>Forger.java</TT>--Forges an e-mail message from the victim to a pre-specified
	target. Very interesting implementation that proves at least that applications can
	be actively attacked and manipulated.
</UL>



<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>Cross Reference:</B></FONT><B> </B>There are over a dozen
	more applets at DeLue's page. Check them out at <A HREF="http://www.math.gatech.edu/~mladue/SourceCode.html"><TT>http://www.math.gatech.edu/~mladue/SourceCode.html</TT></A>.
	
<HR>


</BLOCKQUOTE>

<P>I have written mainly about the bad aspects of Java. That is largely because this
book examines weaknesses. Now, I would like to write a few words about Java's good
points.</P>
<P>If you have ever engaged in the development of WWW sites, you know how difficult
it is. In today's environment, the WWW site has to be crisp, clean, and engaging.
The days of the solid gray background and unjustified text are over. Now, consumers
expect something entertaining. Moreover, functionality is expected to exceed simple
quote generators and auto-response mail. Perl is largely responsible for many of
the menial tasks involved in data processing on the Web, but Java is by far the most
powerful application for developing multimedia Web pages. This, coupled with high-end
tools such as Fusion by NetObjects and FrontPage by Microsoft, can place you at the
very edge of Web design.
<H4><FONT COLOR="#000077"><B>Java Books, Articles, Papers, and Other Resources</B></FONT></H4>
<P><B>Java Security: Hostile Applets, Holes, &amp; Antidotes.</B> Gary McGraw and
Ed Felten. John Wiley &amp; Sons. ISBN: 0-471-17842-X. 1996.</P>
<P><B>Java Security.</B> Gary McGraw and Edward Felten. SIGS. ISBN: 1-884842-72-0.
1996.</P>
<P><B>Java Developer's Guide.</B> Jamie Jaworski and Cary Jardin. Sams.net. ISBN:
1-57521-069-X. 1996.</P>
<P><B>Java Developer's Reference.</B> Mike Cohn, Michael Morrison, Bryan Morgan,
Michael T. Nygard, Dan Joshi, and Tom Trinko. Sams.net. ISBN: 1-57521-129-7. 1996.</P>
<P><B>Developing Intranet Applications with Java.</B> Jerry Ablan, William Robert
Stanek, Rogers Cadenhead, and Tim Evans. Sams.net. ISBN: 1-57521-166-1. 1996.</P>
<P><B>The Java Handbook.</B> Patrick Naughton. Osborne/McGraw-Hill. ISBN: 0-07-882199-1.
1996.</P>
<P><B>Just Java, 2nd Edition.</B> Peter van der Linden. Sunsoft Press/Prentice Hall.
ISBN: 0-13-272303-4. 1996.</P>
<P><B>Java in a Nutshell: A Desktop Quick Reference for Java Programmers.</B> David
Flanagan. O'Reilly &amp; Associates, Inc. ISBN: 1-56592-183-6. 1996.</P>
<P><B>The Java Language Specification.</B> Addison-Wesley. James Gosling, Bill Joy,
and Guy Steele. ISBN: 0-201-63451-1. 1996.</P>
<P><B>&quot;Java as an Intermediate Language.&quot;</B> Technical Report, School
of Computer Science, Carnegie-Mellon University, Number CMU-CS-96-161, August 1996.

<UL>
	<LI><A HREF="http://www.cs.cmu.edu/afs/cs.cmu.edu/project/scandal/public/papers/CMU-CS-96-161.ps.Z"><TT>http://www.cs.cmu.edu/afs/cs.cmu.edu/project/scandal/public/papers/CMU-CS-96-161.ps.Z</TT></A>
</UL>

<P><B>&quot;Java &amp; HotJava: Waking Up the Web.&quot;</B> Sean Gonz&#225;lez.
<I>PC Magazine</I>. October 1995.

<UL>
	<LI><A HREF="http://www.zdnet.com/~pcmag/issues/1418/pcm00085.htm"><TT>http://www.zdnet.com/~pcmag/issues/1418/pcm00085.htm</TT></A>
</UL>

<P><B>&quot;Java: The Inside Story.&quot;</B> Michael O'Connell. <I>Sunworld Online</I>.
Vol. 07. July 1995.

<UL>
	<LI><A HREF="http://www.sun.com/sunworldonline/swol-07-1995/swol-07-java.html"><TT>http://www.sun.com/sunworldonline/swol-07-1995/swol-07-java.html</TT></A>
</UL>

<P><B>&quot;Briki: A Flexible Java Compiler.&quot;</B> Michael Cierniak and Wei Li.
TR 621, URCSD, May 1996.

<UL>
	<LI><A HREF="ftp://ftp.cs.rochester.edu/pub/papers/systems/96.tr621.Briki_a_flexible_java_compiler.ps.gz"><TT>ftp://ftp.cs.rochester.edu/pub/papers/systems/96.tr621.Briki_a_flexible_java_compiler.ps.gz</TT></A>
</UL>

<P><B>&quot;NetProf: Network-Based High-Level Profiling of Java Bytecode.&quot;</B>
Srinivasan Parthasarathy, Michael Cierniak, and Wei Li. TR 622, URCSD, May 1996.

<UL>
	<LI><A 
HREF="ftp://ftp.cs.rochester.edu/pub/papers/systems/96.tr622.NetProf_network-based_high-level_profiling_of_java_bytecode.ps.gz"><TT>ftp://ftp.cs.rochester.edu/pub/papers/systems/96.tr622.NetProf_network-based_high-level_profiling_of_java_bytecode.ps.g
z</TT></A>
</UL>

<P><B>MIME Encapsulation of Aggregate Applet Objects</B> (mapplet). A. Bahreman,
J. Galvin, and R. Narayanaswamy.

<UL>
	<LI><A HREF="http://src.doc.ic.ac.uk/computing/internet/internet-drafts/draft-bahreman-mapplet-spec-00.txt.Z"><TT>http://src.doc.ic.ac.uk/computing/internet/internet-drafts/draft-bahreman-mapplet-spec-00.txt.Z</TT></A>
</UL>

<P><B>&quot;H-38: Internet Explorer 3.x Vulnerability.&quot;</B> (CIAC Advisory)
March 4, 1997.

<UL>
	<LI><A HREF="http://ciac.llnl.gov/ciac/bulletins/h-38a.shtml"><TT>http://ciac.llnl.gov/ciac/bulletins/h-38a.shtml</TT></A>
</UL>

<P><B>Internet Java &amp; ActiveX Advisor.</B> Journal.

<UL>
	<LI><A HREF="http://www.advisor.com/ia.htm"><TT>http://www.advisor.com/ia.htm</TT></A>
</UL>

<P><B>Java Developer's Journal.</B>

<UL>
	<LI><A HREF="http://www.javadevelopersjournal.com/java/"><TT>http://www.javadevelopersjournal.com/java/</TT></A>
</UL>

<P><B>Java Report.</B> Journal.

<UL>
	<LI><A HREF="http://www.sigs.com/jro/"><TT>http://www.sigs.com/jro/</TT></A>
</UL>

<P><B>Javaworld. </B>Journal.

<UL>
	<LI><A HREF="http://www.javaworld.com/"><TT>http://www.javaworld.com/</TT></A>
</UL>

<P><B>Gamelan. </B>The ultimate Java archive.

<UL>
	<LI><A HREF="http://www-a.gamelan.com/index.shtml"><TT>http://www-a.gamelan.com/index.shtml</TT></A>
</UL>

<H2><FONT COLOR="#000077"><B>Perl</B></FONT></H2>
<P>Occasionally, just occasionally, a product emerges from the Internet that is truly
magnificent. Perl is once such product. What started as a small project for Larry
Wall (Perl's creator) turned into what is likely the most fluid, most easily implemented
language ever created.</P>
<P>Imagine a programming language that combines some of the very best attributes
of languages such as C, sed, awk, and BASIC. Also, remember that the size of Perl
programs are a fraction of what compiled C programs consume. Finally, Perl is almost
too good to be true for creating CGI applications for use on the WWW. Manipulation
of text in Perl is, I think, unrivaled by any computer language.</P>
<P>Perl is heavily relied on as a tool for implementing CGI. Like most programming
tools, Perl does not contain many inherent flaws. However, in inexperienced hands,
Perl can open a few security holes of its own.
<H3><FONT COLOR="#000077"><B>Perl and CGI</B></FONT></H3>
<P>CGI is a relatively new phenomenon. It is of significant interest because it offers
an opportunity for all programmers to migrate to Web programming. Essentially, CGI
can be done on any platform using nearly any language. The purpose of CGI is to provide
dynamically built documents and processes to exist on the World Wide Web.</P>
<P><I>Dynamic</I> here means that the result will vary depending on user input. The
result--usually a newly formed Web page--is generated during the CGI process. The
easiest way for you to understand this is to examine a Perl script in action. Imagine
a Web page with a single form, like the one in Figure 30.4.</P>
<P><A NAME="04"></A><A HREF="04.htm"><B>FIGURE 30.4.</B></A> <I><BR>
The SAMS CGI sample page.</I></P>
<P>The page in Figure 30.4 has a single input field named <TT>editbox</TT>, which
you can see within the following HTML source code:</P>
<PRE><FONT COLOR="#0066FF">&lt;HTML&gt;
&lt;HEAD&gt;
&lt;TITLE&gt;SAMS CGI Example&lt;/TITLE&gt;
&lt;/HEAD&gt;
&lt;BODY bgcolor = &quot;#ffffff&quot;&gt;
&lt;P &gt;&lt;/P&gt;
&lt;P &gt;The Anatomy of a CGI Program&lt;/P&gt;
&lt;P &gt;&lt;/P&gt;
&lt;P &gt;&lt;/P&gt;
&lt;FORM  ACTION = &quot;getit.cgi&quot; METHOD = &quot;Get&quot; &gt;
&lt;P &gt;&lt;INPUT TYPE = TEXT NAME = &quot;editbox&quot; SIZE = 20 MAXLENGTH = 20&gt;&lt;/P&gt;
&lt;/FORM&gt;
&lt;/BODY&gt;
&lt;/HTML&gt;
</FONT></PRE>
<P>Within that code, the form that holds <TT>editbox</TT> also points to a script
program on the hard drive. That script, called <TT>getit.cgi</TT>, appears in bold
in the following HTML code:</P>
<PRE><FONT COLOR="#0066FF">&lt;HTML&gt;
&lt;HEAD&gt;
&lt;TITLE&gt;SAMS CGI Example&lt;/TITLE&gt;
&lt;/HEAD&gt;
&lt;BODY bgcolor = &quot;#ffffff&quot;&gt;
&lt;P &gt;&lt;/P&gt;
&lt;P &gt;The Anatomy of a CGI Program&lt;/P&gt;
&lt;P &gt;&lt;/P&gt;
&lt;P &gt;&lt;/P&gt;
&lt;FORM  ACTION = &quot;getit.cgi&quot; METHOD = &quot;Get&quot; &gt;
&lt;P &gt;&lt;INPUT TYPE = TEXT NAME = &quot;editbox&quot; SIZE = 20 MAXLENGTH = 20&gt;&lt;/P&gt;
&lt;/FORM&gt;
&lt;/BODY&gt;
&lt;/HTML&gt;
</FONT></PRE>
<P>So <TT>editbox</TT> refers to the input box on the form; you assign this name
to the box so that later, when you need to, you can refer to the box (and its contents)
as a variable. You know from the preceding code that the contents of <TT>editbox</TT>
will be sent