[4705] in bugtraq
Re: Netscape Exploit
daemon@ATHENA.MIT.EDU (Sevo Stille)
Mon Jun 16 18:09:14 1997
Date: Sun, 15 Jun 1997 14:54:05 +0200
Reply-To: sevo@inm.de
From: Sevo Stille <sevo@INM.DE>
X-To: "Justin C. Ferguson" <jferg@ACM.ORG>
To: BUGTRAQ@NETSPACE.ORG
> Von: Justin C. Ferguson <jferg@ACM.ORG>
>... [crude attempt using file upload deleted]
> Unless I'm missing something here, this method _does_not_ work. This
> was my first idea when I first heard about the bug as well, but from what I can
> tell, it's not possible to set a value (or a defaultValue using JavaScript) for
> a file type input. The only way even remotely possible way I can see to do
> do this is perhaps through the fact that netscape caches form data for reposts,
> and some trick here regarding reloading the page.
Of course, another way would be smashing an internal Netscape stack to insert
a filename into that readonly field.
But there is another possible loophole - it has always been possible to access
random javascript elements from a document in another frame or window. This
works with any Javascript containing document, whether local or on a server,
as long as the objects aren't tainted, and it is commonly used to feed dynamic
data into Javascript documents.
However it is hardly exploitable - nobody will use Javascript objects to store data
on his disks, and the plain text body of a document is no readable property of
document. But any bug which exposes the document text - like a accessible
internal property of the navigator parser - would make any file vulnerable.
Sevo
