PHP Developers Network

A community of PHP developers offering assistance, advice, discussion, and friendship.
 
Loading
It is currently Thu Oct 17, 2019 6:35 am

All times are UTC - 5 hours




Post new topic Reply to topic  [ 5 posts ] 
Author Message
 Post subject: jar applet - security
PostPosted: Sun Apr 28, 2013 2:59 pm 
Offline
Forum Newbie

Joined: Sat Apr 27, 2013 1:52 am
Posts: 3
Hello,

My scope was to embed a web-based ssh client in my php site. So, I searched in the Internet and I found a jar that suited in my site.
This jar file (is it allowed to post here which one I found?) is loaded through <applet>.

My question is whether this file is secure or not, in the manner of fact that this ssh client gives you root permissions on systems, lets you type passwords and login remotely on other systems (using passwords again). Probably, this jar file could be harmful enough to collect passwords and send them somewhere else, isnt it?

How can I confirm that this code is secure enough? (i.e. tcp dumping - to catch if that file communicates with somewhere else, antivirus scanning)

Thanks a lot :)


Top
 Profile  
 
PostPosted: Sun Apr 28, 2013 4:31 pm 
Offline
Spammer :|
User avatar

Joined: Wed Oct 15, 2008 2:35 am
Posts: 6617
Location: WA, USA
How are the credentials passed? Do you still have to log in or does it automatically go in as root? How does it know the root password? Why is root allowed SSH access in the first place?


Top
 Profile  
 
PostPosted: Sun Apr 28, 2013 7:08 pm 
Offline
Forum Regular
User avatar

Joined: Tue Sep 28, 2010 11:41 am
Posts: 984
Location: Columbus, Ohio
I think the main concern OP has is how to make sure that the applet isn't collecting any keystrokes (which would also possible include logins).


Top
 Profile  
 
PostPosted: Mon Apr 29, 2013 9:42 am 
Offline
Forum Newbie

Joined: Sat Apr 27, 2013 1:52 am
Posts: 3
My concern is what twinedev said...

Actually, when the applet is loaded, a shell client appears in my php site and prompts for login and password (for localhost system which is the default) --> this logins me to the localhost as root. Then, I can login remotely to any other system I am allowed to...

The question is whether that code is dangerous enough to collect such passwords.

a) I guess there are two ways, dumping the traffic --> this is not 100% secure since it may send the passwords in a scheduled way
b) resolve the .jar file to its .class files and then .java files and go through them --> is there any Netbean module or other, where I can depackage the .jar file? I am not sure if this can be done


Top
 Profile  
 
PostPosted: Mon Apr 29, 2013 12:42 pm 
Offline
Spammer :|
User avatar

Joined: Wed Oct 15, 2008 2:35 am
Posts: 6617
Location: WA, USA
The client could run a shell command that downloads and executes a malicious binary; could be difficult to see that just dumping traffic.

.jar files are packaged .class files but you'd still have to decompile the .class intermediate code to a human-readable version. Which is possible to do. Seeing the source code is the only way you can be sure what the client actually does.


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 5 posts ] 

All times are UTC - 5 hours


Who is online

Users browsing this forum: No registered users and 5 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Jump to:  
Powered by phpBB® Forum Software © phpBB Group