Bugtraq mailing list archives
Re: Communicator 4.[56]x, JavaScript used to bypass cookie settings
From: claudio () LINK IT (Claudio Telmon)
Date: Tue, 13 Jul 1999 22:56:37 +0200
Peter W wrote:
As Netscape has not acknowledged my email or bug report from last week, and one form of this vulnerability is currently being used, I have decided it best to publicize this problem.
I can add something on this topic. Gioacchino La Vecchia (gio () link it)
and me found the same problem and a couple of
others (which I'll describe later in this posting) in January. We were
checking how Communicator handles javascript in mail messages. We made
some testing and in February decided to send a bug report to Netscape.
We got an answer at the end of February after some mail exchange.
Netscape told us that they couldn't include a fix in Communicator 4.51,
which was "after final build", and asked for 8-10 weeks before we make
the bugs public. We also got a "Bugs Bounty Recognition Package" ;),
that is 1000$ and a T-shirt (500$ pro capite).
After that, Communicator 4.51, 4.6 and 4.61 where released.
Since we are working a lot, time passed and we almost forgot the
problem.
The bottom line is that if I'll find some other bug, Netscape will know
about it with the bugtraq moderator ;)
Now to the bugs. As I said, we were working on javascript in mail
messages, so we noticed this bug in mail messages. A message sent to a
public mailing list or a spam message can leave a "mark" in your cookies
database that can be read by any other message (or web page?).
If I remember correctly, we tested this also on Explorer and it worked.
Now the default setting is that javascript in mail messages is disabled,
but the bug is not fixed. As you noticed, "same origin" is
not enforced.
Another partially fixed bug is that with
wysiwig://0/mailbox:/home/claudio/nsmail/Inbox?number=2
you can access the first message of the mailbox.
We used
window.open("wysiwig://0/mailbox:/home/claudio/nsmail/Inbox?number=2")
With the original bug, you could access document.links[] and get the
addresses of sender, recipient etc. Now you can still get
document.title, which is the subject of the message. If you try other
values instead of 2, you can get the offset of the beginning of another
message in the mailbox and work on it, or else Communicator will crash.
The original report can be found at
http://metalab.unc.edu/gio/papers/netscape/netscape.html
ciao
- Claudio
Current thread:
- L0pht 'Domino' Vulnerability is alive and well Aleph One (Jul 05)
- <Possible follow-ups>
- Re: L0pht 'Domino' Vulnerability is alive and well Weld Pond (Jul 06)
- Re: L0pht 'Domino' Vulnerability is alive and well Pavel Ahafonau (Jul 07)
- Re: L0pht 'Domino' Vulnerability is alive and well mtremblay () BAHNSO COM (Jul 08)
- Re: L0pht 'Domino' Vulnerability is alive and well Ryan Thomas Tecco (Jul 09)
- Communicator 4.[56]x, JavaScript used to bypass cookie settings Peter W (Jul 09)
- (no subject) Anonymous (Jul 09)
- Re: your mail Darren Reed (Jul 12)
- Navigator cookie security Oliver Lineham (Jul 09)
- Re: Communicator 4.[56]x, JavaScript used to bypass cookie settings Claudio Telmon (Jul 13)
- Solaris 2.6/7 NTP permissions problem john_smith () RD QMS COM (Jul 14)
- Privacy concerns in interMute John Temples (Jul 16)
- Re: Solaris 2.6/7 NTP permissions problem Casper Dik (Jul 16)
- (no subject) sbr (Jul 14)
- joe 2.8 makes world-readable DEADJOE Trevor Johnson (Jul 17)
- Re: your mail hal (Jul 19)