Is there any way in which .java files on a web server, that are linked via a tag, could possibly, conceivably, cause damage anywhere -- on the server or client machine?
I don't see how on Earth that could possibly happen -- we're talking about an ASCII text file and an anchor tag, but I have been dealing with an IT person who will not let me post .java files on a web server because of the security risk.
Please, don't be too harsh in your responses ;-)
It is a pity, but it seems that harm is in a head of this IT person :(
No file in itself causes any harm - except where the location of the file is not passive storage (e.g. in the memory of memory mapped IO card) .
It is when the file is used by some malicious (accidental or otherwise) code that is can be considered harmful.
Of course it's not a problem, it's just a text file.
Rename the file to have a .txt extension.
Well, the java source file on the web server can't do much. It has to be compiled and run in a Java VM for any vulnerabilities that code may expose to be exploited. The IT guy MAY be incorrectly equating Java with JavaScript, which can do some damage and, never being compiled, is always in some plain text format. If your IT guy has any concrete evidence that your Java file can be executed or exploited in its current form, or that hosting it would present a specific security vulnerability, by all means let's hear it. Otherwise, get a new IT guy.
There are two ways I can think of that a file can cause harm.
The file is some sort of executable and therefore gets run by the system: compiled code, flash, javascript, etc. This is the realm of viruses and trojans who hijack legit executable code to do their own devious work.
The file is not an executable, but through manipulation, contains a specific sequence of bytes that will trigger a vulnerability in a program which reads that file. For example, there could be a malicious sequence of bytes injected into a jpg which causes a specific image viewer to to overflow a buffer and execute those bytes as program code. The limitation of this is that it only works if the targeted viewer is used.
However, text files such as java source files are pretty much bullet proof to these because of their simplicity and the fact that any malicious injection (#2 above) would be pretty obvious and would stop the java from compiling in the first place. Usually this only works with files that contain some sort of encoding, not text files.
So yes your IT guy is over-reacting. Probably due to a lack of knowledge and reading too many security scare brochures.
Can an attacker control the contents of the file? If yes, then it is a problem. If no, then you are okay.
Lets say the attacker could upload .java files (or any other type of file) to the server, and then later allow other users to download it. The uploaded file can contain html and javascript code that automatically executes in the browser when the user clicks on the link. This is likely to work even if you set content-type headers, because browsers try to sniff mime type. For more information on this, refer to browser security handbook.
So, by uploading a .java file, an attacker could execute malicious javascript in another users browser window.
Are these real java files corresponding to a real system? If so, then a hacker might be able to compromise the real system by looking at the source code. For example: passwords might be encoded within or he might get info about the database location/sid/password or he might be able to see a flaw in the security model.
If they are just sample java files that don't come from a real system, then I cannot see the harm.
So, just to follow up on this, the IT guy banned me from storing .java files on the server, with the following logic:
"Java and JavaScript may have nothing in common except their first two syllables, but files with the .java extension and files with the .js extension do have something major in common, they may both indicate to a Windows system that it should read the file and execute the commands it finds in the file, this can include anything that java is capable of doing, such as deleting files, sending emails, etc."
Just to clarify, I did not make the previous paragraph up, that is from the head of our IT staff.