[10616] in bugtraq
Netscape Communicator JavaScript in security vulnerability</h2>
<h4>daemon@ATHENA.MIT.EDU (Georgi Guninski)<br>Mon May 24 12:46:36 1999</h4>
<pre>Mime-Version: 1.0
Content-Type: text/plain; charset=koi8-r
Content-Transfer-Encoding: 7bit
Message-Id: <374936DD.77EC04C9@nat.bg>
Date: Mon, 24 May 1999 14:24:13 +0300
Reply-To: Georgi Guninski <<A HREF="mailto:joro@NAT.BG">joro@NAT.BG</A>>
From: Georgi Guninski <<A HREF="mailto:joro@NAT.BG">joro@NAT.BG</A>>
To: <A HREF="mailto:BUGTRAQ@NETSPACE.ORG">BUGTRAQ@NETSPACE.ORG</A>
There is a security bug in Netscape Communicator 4.6 Win95, 4.07 Linux
(guess all 4.x versions are affected) in the way they treat JavaScript
code
in the title of the document.
One may embed JavaScript code in the <TITLE> tag. If the info about the
document
is shown, then the JavaScript code is executed. The info about the
document
may be infoked by a script using 'location="wysiwyg://1/about:document"
'.
The problem is that the JavaScript code is executed in the security
context
of the "about:" protocol. This allows accessing documents in the
"about:"
protocol such as: "about:cache", "about:config", "about:global", etc.
Vulnerabilities:
* Reading user's cache and accessing information such as passwords,
credit card
numbers.
* Reading info about the Netscape's configuration ("about:config").
This includes
finding user's email address, mail servers, the encoded mail password
(it must me saved and may be decoded). This allows reading user's
email.
The more dangerous part is that this vulnerability MAY BE EXPLOITED
USING HTML MAIL MESSAGE.
Workaround: Disable JavaScript
Demonstration is available at: http://www.nat.bg/~joro/titlecache.html
Georgi Guninski
http://www.nat.bg/~joro
http://www.whitehats.com/guninski
</pre>
<hr>
<table border=0 cellspacing=0 cellpadding=1>
<tr align=center valign=center>
<td width=44><a href="/"><img src="/images/i-d.gif" alt="" width=40 height=40></a></td>
<td width=44><a href="/help.html"><img src="/images/i-help.gif" alt="" width=40 height=40></a></td>
<td width=44><a href="./?10616"><img src="/images/i-back.gif" alt="" width=40 height=40></a></td>
<td width=44><a href="1"><img src="/images/i-first.gif" alt="" width=40 height=40></a></td>
<td width=44><img src="/images/n-fref.gif" alt="" width=40 height=40></td>
<td width=44><img src="/images/n-pref.gif" alt="" width=40 height=40></td>
<td width=44><a href="10615"><img src="/images/i-prev.gif" alt="" width=40 height=40></a></td>
<td width=44><a href="10617"><img src="/images/i-next.gif" alt="" width=40 height=40></a></td>
<td width=44><img src="/images/n-nref.gif" alt="" width=40 height=40></td>
<td width=44><img src="/images/n-lref.gif" alt="" width=40 height=40></td>
<td width=44><a href="42493"><img src="/images/i-last.gif" alt="" width=40 height=40></a></td>
<td width=44><img src="/images/n-post.gif" alt="" width=40 height=40></td>
</tr><tr align=center valign=center><td><a href="/">home</a></td>
<td><a href="/help.html">help</a></td>
<td><a href="./?10616">back</a></td>
<td><a href="1">first</a></td>
<td>fref</td>
<td>pref</td>
<td><a href="10615">prev</a></td>
<td><a href="10617">next</a></td>
<td>nref</td>
<td>lref</td>
<td><a href="42493">last</a></td>
<td>post</td>
</tr></table>
</body></html>
