Bugtraq mailing list archives
Re: Netscape Exploit
From: sevo () inm de (Sevo Stille)
Date: Sun, 15 Jun 1997 14:54:05 +0200
Von: Justin C. Ferguson <jferg () ACM ORG> ... [crude attempt using file upload deleted] Unless I'm missing something here, this method _does_not_ work. This was my first idea when I first heard about the bug as well, but from what I can tell, it's not possible to set a value (or a defaultValue using JavaScript) for a file type input. The only way even remotely possible way I can see to do do this is perhaps through the fact that netscape caches form data for reposts, and some trick here regarding reloading the page.
Of course, another way would be smashing an internal Netscape stack to insert a filename into that readonly field. But there is another possible loophole - it has always been possible to access random javascript elements from a document in another frame or window. This works with any Javascript containing document, whether local or on a server, as long as the objects aren't tainted, and it is commonly used to feed dynamic data into Javascript documents. However it is hardly exploitable - nobody will use Javascript objects to store data on his disks, and the plain text body of a document is no readable property of document. But any bug which exposes the document text - like a accessible internal property of the navigator parser - would make any file vulnerable. Sevo
Current thread:
- Re: Netscape Exploit Justin C. Ferguson (Jun 14)
- SunOS 4.1.4 ftp serious bug Homer W. Smith (Jun 15)
- Re: SunOS 4.1.4 ftp serious bug Francesco Messineo (Jun 16)
- Re: SunOS 4.1.4 ftp serious bug Joe Zbiciak (Jun 16)
- <Possible follow-ups>
- Re: Netscape Exploit Edwin Li-Kai Liu (Jun 15)
- Re: Netscape Exploit John Robert LoVerso (Jun 16)
- Re: Netscape Exploit Sevo Stille (Jun 15)
- SunOS 4.1.4 ftp serious bug Homer W. Smith (Jun 15)