[4695] in bugtraq
Re: Netscape Exploit... with technical details.
daemon@ATHENA.MIT.EDU (Phear)
Sat Jun 14 22:38:58 1997
Date: Sat, 14 Jun 1997 13:14:38 -0700
Reply-To: Phear <phear@OUTLAWLABS.COM.NO.SPAM>
From: Phear <phear@OUTLAWLABS.COM.NO.SPAM>
X-To: Edwin Li-Kai Liu <robin.hood@IBM.NET>
To: BUGTRAQ@NETSPACE.ORG
Edwin Li-Kai Liu wrote:
> Rusty Conover wrote:
>
> > In my method JavaScript would have to be used to automatically
> submit
> > a
> > HTML Form to the server. In these forms a page writer could have
> > already coded the file name into the source document, such as
> > "autoexec.bat". When the browser loads the page off of the server,
> it
> >
> > submits the form which transmits the file to the server via the
> > HTTP-File upload procedure. The SERVER now has the file the author
> > wanted. To fool the user, the CGI program sends the location of the
>
> > real web page to the client, and the client doesn't know otherwise.
> >
> > This method would require the files to be small or else the user
> will
> > notice this is taking a long time to load the page over a modem.
> But
> > the potential for this exploit to be used over faster transmission
> > lines
> > is greater.
> >
> > To have a solution to this problem would be a warning dialog box,
> > telling the user that they are transmitting a file not just a
> regular
> > HTTP form. I have not written a single line of code exploiting this
>
> > potential vulnerability, I might get around to it if I have time.
> >
> > Please note: I sent this original message 1 day (June 12) before to
>
> > Netscape and now they confirm that my hypothesis was correct on the
> > URL:
> >
> > http://home.netscape.com/misc/security_update.html
>
> Yes, this is absolutely correct. You have proved my points also.
> Please
> see my message on netscape.security newsgroup, titled "Re: Security
> BUG".
>
> I have then post the same message to other newsgroups one day after,
> which is today. I want public to know the truth, instead of being
> panic.
> The following is the original message.
>
> <snip>
Well, I would be MORE than excited to see some code for this. When I
saw the story on CNN, I immediately
went to work and tried to duplicate it. The only thing I could think of
that would allow the retrieval of files was the
<INPUT TYPE="File"> form element, which sends the file as ENCTYPE
multipart/form-data. I wrote a little
shell script to display everything that the form sent, and I wrote the
web page, with three javascript functions. One
to load up the File box with the filename, one to press the submit
button, and a function to be called by the body onload event.
It's a great idea, but I think Netscape has already thought of it
because every attempt to load the file box programmatically
resulted in a javascript error pointing out that the File input type was
READ-ONLY. I even made it a textbox first,
and then tried to change the type after loading the filename:
document.form.textbox.value="c:\windows\someone.pwl"
document.form.textbox.type="file"
And it still doesn't work. So, while this seems to be the only place I
can think of for the bug, all attempts at exploiting
it have failed. Unless you can get around the read-only state of the
file input box, I don't know how it can work.
Anyway, my two cents..
phear
