Page History

This guideline extends equally to both server applications as well as clients. Adversaries can glean sensitive information from not only vulnerable web servers but also innocent users who use vulnerable web browsers. In 2004, Schoenefeld  \[[Schoenefeld 04|AA. Java References#Schoenefeld 04]\] discovered an instance in the Opera v7.54 web browser, wherein an attacker could use the {{sun.security.krb5.Credentials}} class as an oracle to "retrieve the name of the currently logged in user and parse his home directory from the information which is provided by the thrown java.security.AccessControlException."