Bugtraq mailing list archives
Re: Netscape 4.51 Upgrade
From: nick.boyce () EDS COM (Boyce, Nick)
Date: Wed, 17 Mar 1999 15:56:27 -0000
Chris Price asked :-
Is it just me, or does anyone else see this as a gaping security hole for Netscape 4.5x users......
Well ... This was reported by Georgi Guninski in a Bugtraq posting dated 23rd.November,1998, under the subject line "Netscape Communicator 4.5 can read local files". A minor debate ensued about whether or not it was a serious issue, at the end of which everybody agreed that this was a real problem and plenty of exploit Javascripts had been written, some tailored to Windows Netscape and some to Unix Netscape. Ben Collins posted a challenge to the list on 25th.November,1998 to get someone to create a webpage which would read a file called "/test.txt" from his client machine, and Terence C Haddock managed to do that later the same day. The last posting I saw was on 28th.November,1998 when Todd Campbell wrote :-
Does anybody know what Netscape's stance is on this, do they have a
timeline? ... and I thought that was a very good question. I've scoured Netscape's web site spaghetti, and can find no announcement one way or another as to whether or not they agree there is a problem, or whether they intend to fix it. I think it's pretty damn serious. I think it's pretty weird that Netscape don't even comment on the matter, either here or anywhere else. If Netscape *has* in fact commented, I'd be grateful if someone could point me to the right place.
Nick Boyce [ Information Security Manager ] Systems Team, EDS Healthcare, Bristol, UK
Current thread:
- Re: Netscape 4.51 Upgrade Boyce, Nick (Mar 17)