Bugtraq mailing list archives

Re: Netscape communicator 4.x Javascript security flaw

From: metal_hurlant () YAHOO COM (Metal Hurlant)
Date: Fri, 26 Nov 1999 10:41:40 +0100


Netscape has a "persistent" navigator object, which means that any data put
in the window.navigator object will be accessible to every other window as long
as the browser is running. This is slightly worse than non-persistent cookies
since it works across domains. (not by much.. advertisers didn't wait for this
feature to track users from different sites)

Any window that somehow gets an handle to another window can look at it.
If you try to explore the objects inside that window, you'll see pretty much
every global function and variable defined on that window. But you cannot see
"sensitive" objects like document, history, location, etc..
This is mostly an attempt at not breaking compatibility with scripts developed
with previous versions of Navigator: Every object can be accessed except those
known to be sensitive.
It can be a problem if a script happens to copy sensitive data into global
variables. But you cannot use it to automatically grab form data as was implied
on the nsSecurityFlaw1.html page.

I'm surprised to see this working on a https page. A page loaded from a secure
server should be treated as a secure container ( just like pages containing
signed javascripts ) and should refuse any access from external source.

http://developer.netscape.com/docs/manuals/communicator/jssec/contents.htm

Regards,
Henri Torgemane

On Wed, 24 Nov 1999, Ahmed Ghandour wrote:

I found one problem wich affect probably all the Netscape browser 4.x if you want to know more details please check 
out in http://people.magnet.com/~ghandour/

Ahmed Ghandour

Current thread:

Remote DoS Attack in WorldClient Server v2.0.0.0 Vulnerability, (continued)
- - - Remote DoS Attack in WorldClient Server v2.0.0.0 Vulnerability Ussr Labs (Nov 24)
    - Remote DoS Attack in BisonWare FTP Server V3.5 Vulnerability Ussr Labs (Nov 24)
    - Re: local users can panic linux kernel (was: SuSE syslogd Darren Reed (Nov 24)
    - [w00giving '99 #5 and w00news]: UnixWare 7's su Matt Conover (Nov 25)
    - Buffer Overflow Survey Paper Crispin Cowan (Nov 22)
    - Operational Issues: Applications & Appliances (was: Buffer Overflow Survey Paper) Crispin Cowan (Nov 23)
    - [ COBALT ] Security Advisory - Sendmail Jeff Bilicki (Nov 24)
    - Re: Operational Issues: Applications & Appliances (was: Buffer Overflow Survey Paper) Scott Zimmerman (Nov 24)
    - Re: Operational Issues: Applications & Appliances (was: Buffer Overflow Survey Paper) Simple Nomad (Nov 24)
    - Netscape communicator 4.x Javascript security flaw Ahmed Ghandour (Nov 24)
    - Re: Netscape communicator 4.x Javascript security flaw Metal Hurlant (Nov 26)
    - Re: Netscape communicator 4.x Javascript security flaw Ahmed Ghandour (Nov 26)
    - Windows NT 4.0 Service Pack 6A Breaks IP Forwarding Brendan Howes (Nov 25)
    - Oracle Web Listener Mnemonix (Nov 25)
    - [w00giving '99 #6]: UnixWare 7's Xsco Matt Conover (Nov 25)
    - Re: Operational Issues: Applications & Appliances (was: Buffer Overflow Survey Paper) Mark Seiden (Nov 24)
    - Netscape Communicator 4.7 - Navigator Overflows Mike Boto (Nov 24)
    - BindView Security Advisory: SSR Denial of Service BindView Security Advisory (Nov 24)
    - Re: BindView Security Advisory: SSR Denial of Service Alan Cox (Nov 24)
    - Oracle 8i questions Brock Tellier (Nov 23)
    - Printer Vulnerabilities (Tektronix and JetDirect) Elias Levy (Nov 23)

(Thread continues...)