[8423] in bugtraq
Re: Form insecurity in Netscape
daemon@ATHENA.MIT.EDU (Andy Avery)
Thu Nov 5 13:11:50 1998
Date: Wed, 4 Nov 1998 15:54:02 -0500
Reply-To: Andy Avery <avery@AURAGEN.COM>
From: Andy Avery <avery@AURAGEN.COM>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <4.1.19981103155958.0097ae70@mail.digiweb.com>
On Tue, 3 Nov 1998, kelani wrote:
> Date: Tue, 3 Nov 1998 22:25:35 -0500
> From: kelani <kelani@KELANI.COM>
> To: BUGTRAQ@netspace.org
> Subject: Form insecurity in Netscape
>
> *resubmitted with the offending paragraph removed, thanks for your
> patience, O phearable one.*
>
> Greetings all,
>
> Apologies if it has already been known or was discussed earlier. I see no
> mention in the archive, and it's such an obvious thing...
>
> In the Netscape Navigator 3.x and Communicator 4.x installations at my
> school, where all users share a common login, Navigator seems to write a
> 'nsformXX.tmp' file when a user fills out a form on a webpage. This file
> contains the fields the user filled in as plaintext, and looks like this:
Just poking around and checking things here, I found that there are two
conditions that *must* be met for this to happen:
#1) The form that is submitted must be a MIME-Encoded form
(enctype="multipart/form-data" in the <form> tag) as opposed to the
default of a URL-Encoded form. (if there's no "enctype" element in a
<form> tag, it defaults to URL-Encoded)
#2) the environmental variable TEMP *must* be set. This was not the case
for my setup until I added it in my autoexec.bat and rebooted.
I tested this using Communicator v4.04 on Win95. When I attempted this
with a URL-Encoded form, it didn't work. I tested it using a MIME-Encoded
form and it still didn't work. So I set TEMP in autoexec and rebooted.
Tried it on a URL-Encoded form, and it didn't work. Tried it on the
MIME-Encoded form, and a file called nstempCG.tmp showed up in the path
that I set TEMP to. Both forms were of my creation on my server here, and
I just wrote dummy perl scripts to receive the call from the web server.
Hope this helps anyone......
_____________________________________________________________
Andy Avery Systems/Network Administrator
Auragen Communications, Inc.
620 Park Ave, Ste. 177 v: 716.242.8759
Rochester, NY 14607 f: 716.242.0417
