Vigil@nce: Java, file access via JFileChooser
February 2011 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/
SYNTHESIS OF THE VULNERABILITY
A malicious applet can use javax.swing.JFileChooser, in order to
automatically access to files.
– Severity: 1/4
– Creation date: 08/02/2011
IMPACTED PRODUCTS
– Java JRE/JDK/J2SE
DESCRIPTION OF THE VULNERABILITY
The javax.swing.JFileChooser component is used to browse a
filesystem and to choose a file.
If this component is directly instantiated in an applet, a
SecurityException occurs. However, an attacker can call
javax.swing.text.html.FormView to instantiate a JFileChooser. He
can thus automatically:
– browse the file system
– create a directory
– rename a file
A malicious applet can therefore use javax.swing.JFileChooser, in
order to automatically access to files.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/Java-file-access-via-JFileChooser-10337