Re: Netscape 4.51 Upgrade

[nick.boyce () EDS COM (Boyce, Nick)]

Chris Price asked :-

>  Is it just me, or does anyone else see this as a gaping security hole
>  for Netscape 4.5x users......

Well ...

This was reported by Georgi Guninski in a Bugtraq posting dated
23rd.November,1998, under the subject line "Netscape Communicator 4.5 can
read local files". A minor debate ensued about whether or not it was a
serious issue, at the end of which everybody agreed that this was a real
problem and plenty of exploit Javascripts had been written, some tailored to
Windows Netscape and some to Unix Netscape. Ben Collins posted a challenge
to the list on 25th.November,1998 to get someone to create a webpage which
would read a file called "/test.txt" from his client machine, and Terence C
Haddock managed to do that later the same day.

The last posting I saw was on 28th.November,1998 when Todd Campbell wrote :-

> Does anybody know what Netscape's stance is on this, do they have a
timeline?

... and I thought that was a very good question. I've scoured Netscape's web
site spaghetti, and can find no announcement one way or another as to
whether or not they agree there is a problem, or whether they intend to fix
it.

I think it's pretty damn serious. I think it's pretty weird that Netscape
don't even comment on the matter, either here or anywhere else. If Netscape
*has* in fact commented, I'd be grateful if someone could point me to the
right place.
> Nick Boyce
> [ Information Security Manager ]
> Systems Team, EDS Healthcare, Bristol, UK