Bugtraq mailing list archives
Re: Form insecurity in Netscape
From: Mark.Bowyer () UK Sun COM (Mark R. Bowyer - Sun UK - Sun Developer Relations)
Date: Wed, 4 Nov 1998 19:55:41 +0000
From: kelani <kelani () KELANI COM>
In the Netscape Navigator 3.x and Communicator 4.x installations at my school, where all users share a common login, Navigator seems to write a 'nsformXX.tmp' file when a user fills out a form on a webpage. This file contains the fields the user filled in as plaintext, and looks like this:
I thought this was quite well known - I've worked around Navigator crashes while I was filling in a series of forms by extracting some of the data from these files. My Solaris 7 system has 2 such files right now: -rw------- 1 markbo sunsoft 2764 24 Sep 1998 /tmp/nsform360A35344F93D14 -rw------- 1 markbo sunsoft 15828 20 Oct 1998 /tmp/nsform362C51A80A84F2D The perms make this fairly safe, as long as the *machine* is secure. I'm pretty sure the code tries to maintain these files somehow, as I've filled in way more forms than this since September. Maybe if Communicator crashes before it gets round to cleaning up it leaves them? Do you exit Netscape before you shut down? The format is standard multipart/form-data, as would be passed to your CGI code where this *your* form. The data is created in-file before it's passed back up to the web server, it seems. I checked the contents of these files on my system, and the one occurence of a Password field in them is either encoded or encrypted. From the look of it it's "basic" encoding, so I wont put an example here... ;O) The encoding scheme used is pretty simple. The description of the technique in the official standard is pretty obfusicated, but I managed to write some code to decode the name:password pair back to original text so that MOOs could use "basic" security from web browsers to allow web-based access to them (for MOOtiny and the newer MOOs based on our code). On OSes without proper security between users, then, I'd say this was indeed a potential problem for personal data. -------My opinion - Not sane, intelligent or necessarily useful------- o o mailto:Moredhel () earthling net /v\ark R. Bowyer. http://i.am/Moredhel mailto:Mark.Bowyer () UK Sun COM `-' Oh My God! They killed init! You Bastards!
Current thread:
- Form insecurity in Netscape kelani (Nov 03)
- Re: Form insecurity in Netscape Andy Avery (Nov 04)
- <Possible follow-ups>
- Re: Form insecurity in Netscape Mark R. Bowyer - Sun UK - Sun Developer Relations (Nov 04)