jar applet - security

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
tsetse
Forum Newbie
Posts: 3
Joined: Sat Apr 27, 2013 1:52 am

jar applet - security

Post by tsetse »

Hello,

My scope was to embed a web-based ssh client in my php site. So, I searched in the Internet and I found a jar that suited in my site.
This jar file (is it allowed to post here which one I found?) is loaded through <applet>.

My question is whether this file is secure or not, in the manner of fact that this ssh client gives you root permissions on systems, lets you type passwords and login remotely on other systems (using passwords again). Probably, this jar file could be harmful enough to collect passwords and send them somewhere else, isnt it?

How can I confirm that this code is secure enough? (i.e. tcp dumping - to catch if that file communicates with somewhere else, antivirus scanning)

Thanks a lot :)
User avatar
requinix
Spammer :|
Posts: 6617
Joined: Wed Oct 15, 2008 2:35 am
Location: WA, USA

Re: jar applet - security

Post by requinix »

How are the credentials passed? Do you still have to log in or does it automatically go in as root? How does it know the root password? Why is root allowed SSH access in the first place?
User avatar
twinedev
Forum Regular
Posts: 984
Joined: Tue Sep 28, 2010 11:41 am
Location: Columbus, Ohio

Re: jar applet - security

Post by twinedev »

I think the main concern OP has is how to make sure that the applet isn't collecting any keystrokes (which would also possible include logins).
tsetse
Forum Newbie
Posts: 3
Joined: Sat Apr 27, 2013 1:52 am

Re: jar applet - security

Post by tsetse »

My concern is what twinedev said...

Actually, when the applet is loaded, a shell client appears in my php site and prompts for login and password (for localhost system which is the default) --> this logins me to the localhost as root. Then, I can login remotely to any other system I am allowed to...

The question is whether that code is dangerous enough to collect such passwords.

a) I guess there are two ways, dumping the traffic --> this is not 100% secure since it may send the passwords in a scheduled way
b) resolve the .jar file to its .class files and then .java files and go through them --> is there any Netbean module or other, where I can depackage the .jar file? I am not sure if this can be done
User avatar
requinix
Spammer :|
Posts: 6617
Joined: Wed Oct 15, 2008 2:35 am
Location: WA, USA

Re: jar applet - security

Post by requinix »

The client could run a shell command that downloads and executes a malicious binary; could be difficult to see that just dumping traffic.

.jar files are packaged .class files but you'd still have to decompile the .class intermediate code to a human-readable version. Which is possible to do. Seeing the source code is the only way you can be sure what the client actually does.
Post Reply