How to bypass Netscape's SecurityManager

Update 6/3/2001: While ego-surfing on citeseer, I found that this page has been cited by some people. (Quote: The author does not deal with the support of flexible access control.) For this reason, I've put it up again. It is of historical interest only.
News: Bob Jamison sent me the patch for the final 2.0 version. It is not tested by me yet.

An even simpler way to avoid all restrictions imposed by the security manager is to get rid of it altogether. This is accomplished by replacing Netscape's security manager with an empty security manager. Under Solaris, you can also patch the running NetScape so that it allows file access as well.

The rest of this page is mostly historical, in reverse order. The end of the page has an applet that allows you test whether the patch is installed properly. Be sure to read the comments from comp.lang.java.


The patch has been tested for all the OSs mentioned in version beta 4. So far, only the Linux, the Solaris 2.4 and the SGI patch are known to function for beta 5.
Only the Linux version has been tested for beta 6. The magic numbers have changed, this is the new program for beta6

Pat Mancuso sent me the patch for the Win32 version of NSb6.


This posting describes how to patch moz2_0.zip for Solaris 2.4, Linux, Win32, SGI, and HPUX so that socket connections are unrestricted. Remember that NetScape 2.0, unlike the appletviewer, does not provide configurable security. See Sun's security FAQ for more background information.

If you are familiar with a hex editor, you're probably faster making the changes described in the comments. In emacs, type M-x hexlify-buffer, make the change, type M-x hexl-mode-exit, save and exit.

If not, compile the program with

cc -Dlinux pmoz.c -o pmoz
(or -Dsolaris, -Dhpux, -Dwin32) respectively, do a chmod +w moz2_0.zip, and run pmoz in the same directory. Don't forget to make a backup first.

This patch probably won't work if an unpatched copy of moz2_0.zip is in one of the system directories where Netscape looks first.

Get the complete program from --- here. This are the essentials:


/* Linux
moz2_0.zip:filesize 763601
0006c940: 0009 2a04 b500 6fb1 2a05 b500 6fb1 0000  ..*...o.*...o...
change to:
                 06             06
*/
/* Solaris 2.4 & Win 32 & SGI:
moz2_0.zip:filesize 763604
0006c940: 006c 9900 092a 04b5 0054 b12a 05b5 0054  .l...*...T.*...T
change to:
                         06             06
*/
/* HPUX
moz2_0.zip:filesize 763590
0006c930: 1db6 0074 9900 092a 04b5 0070 b12a 05b5  ...t...*...p.*..
change to:
                              06             06
*/
Some comments from comp.lang.java

Click here for a brief description of how it works.

Use this applet to test: The patch is activated if it thanks you for sending mail to gback@cs.utah.edu.



Click here for the applet code.