{"vuid":"VU#544392","idnumber":"544392","name":"Sun Java Plugin may create temporary files with predictable names","keywords":["Sun","Java Plugin","temporary files","8 dot 3"],"overview":"The Sun Java Plugin may allow remote users to create files with arbitrary content in a specific location.","clean_desc":"From the Sun Java Plugin page: Java Plug-in technology, included as part of the Java 2 Runtime Environment, Standard Edition (JRE), establishes a connection between popular browsers and the Java platform. This connection enables applets on Web sites to be run within a browser on the desktop. When running code, the Sun Java Plugin creates temporary files in a known location with a long file name for the classes being executed. These filenames are predictable when referenced by the \"short\" name, which provides compatibility with the older FAT filesystem used in some operating systems. For example, a file C:\\Long Folder Name may have a \"short\" (or \"8.3\") filename of C:\\LONGFO~1 Normally, any temporary data stored by the Sun Java Plugin will contain a randomized string in the long filename: Sprocket.jar-76251372-2a771823.zip\nSprocket.jar-76251372-2a771823.idx However, the \"short\" name may discard the entire string: SPROCK~1.ZIP\nSPROCK~1.IDX In this manner, an attacker could create arbitrary content in a known location on a user's system, and use the data in conjunction with another unrelated exploit.","impact":"This flaw may not constitute a large security risk by itself. However, an attacker gains the ability to create arbitrary file data in a known location that may then be used in another unrelated attack.","resolution":"The CERT/CC is currently unaware of a practical solution to this problem.","workarounds":"The Sun Java Plugin can be configured to use a nonstandard location for temporary files. This is accomplished in the Java Control Panel, by selecting the \"Settings\" button in the \"Temporary Internet Files\" section of the \"General\" tab.","sysaffected":"","thanks":"Thanks to Andreas Sandblad of Secunia Research for reporting this vulnerability.","author":"This document was written by Ken MacInnis based primarily on information from Secunia.","public":["h","t","t","p",":","/","/","s","e","c","u","n","i","a",".","c","o","m","/","a","d","v","i","s","o","r","i","e","s","/","1","1","0","7","0","/"],"cveids":[""],"certadvisory":"","uscerttechnicalalert":null,"datecreated":"2005-02-11T20:21:52Z","publicdate":"2005-02-08T00:00:00Z","datefirstpublished":"2005-02-11T21:13:09Z","dateupdated":"2005-02-11T21:13:16Z","revision":9,"vrda_d1_directreport":"","vrda_d1_population":"","vrda_d1_impact":"","cam_widelyknown":"15","cam_exploitation":"0","cam_internetinfrastructure":"5","cam_population":"10","cam_impact":"11","cam_easeofexploitation":"10","cam_attackeraccessrequired":"14","cam_scorecurrent":"5.775","cam_scorecurrentwidelyknown":"7.21875","cam_scorecurrentwidelyknownexploited":"12.99375","ipprotocol":"","cvss_accessvector":"","cvss_accesscomplexity":"","cvss_authentication":null,"cvss_confidentialityimpact":"","cvss_integrityimpact":"","cvss_availabilityimpact":"","cvss_exploitablity":null,"cvss_remediationlevel":"","cvss_reportconfidence":"","cvss_collateraldamagepotential":"","cvss_targetdistribution":"","cvss_securityrequirementscr":"","cvss_securityrequirementsir":"","cvss_securityrequirementsar":"","cvss_basescore":"","cvss_basevector":"","cvss_temporalscore":"","cvss_environmentalscore":"","cvss_environmentalvector":"","metric":5.775,"vulnote":null}