hi, I just installed 4.75 (source from netscape) and tried a few tests in regards to the java exploit (Brown Orifice HTTPD). I went to the following webpage , http://www.brumleve.com/BrownOrifice/ , that has a demo of Brown Orifice HTTPD and allowed it to do its thing to my machine. It did open up tcp port 8080 (as a nmap scan of my machine showed), but it did not allow me to connect or view any files. Is this exploit fixed in the latest release of netscape 4.75? I believe it is and is not. I do not have the ability to connect to the 8080 port and view my files, even though it is open. But then again, why does it still allow Brown Orifice HTTPD to open up a port on my machine? Isn't this a problem itself and still a potential security vulnerability? After killing all netscape processes, according to another nmap scan of my machine, tcp port 8080 was closed. Sorry that I couldn't give a definite yes or no, but that would and SHOULD come from Netscape themselves. BOOO and HISSS to Netscape for leaving their users in the dark. Perhaps they don't care anymore now that AOL owns their ass. jason Stefan Suurmeijer wrote:
Hi all,
has anybody seen/heard any confirmation from Netscape that the new release (4.75) has plugged the java security hole?? Through all this I have heard absolutely nothing from Netscape, either on Bugtraq or their web pages, no acknowledgement of the vulnerability, no news no nothing. In my book this makes them an early frontrunner for worst vulnerability handling of the year.
Stefan
--------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com