[8628] in bugtraq
Re: Netscape Communicator 4.5 can read local files
daemon@ATHENA.MIT.EDU (The Spirit of the Black Panther)
Tue Nov 24 23:49:29 1998
Date: Mon, 23 Nov 1998 20:49:37 +0000
Reply-To: panther@DSIS.NET
From: The Spirit of the Black Panther <panther@DSIS.NET>
To: BUGTRAQ@NETSPACE.ORG
Georgi Guninski wrote:
> There is a bug in Netscape Communicator 4.5 for Windows 95 and 4.05 for
> WinNT 4.0
> (probably others) which allows reading files from the user's computer.
> It is not necessary the file name to be known, because directories may
> be browsed.
> The contents of the file may be sent to an arbitrary host. In order this
> to work, you need both Java and Javascript
> enabled. The bug may be exploited by email message.
>
> Demonstration is available at:
> http://www.geocities.com/ResearchTriangle/1711/b6.html
>
> Workaround: Disable Javascript or Java.
>
I have just tested this bug in Netscape 4.5 on a RedHat Linux 5.1 machine,
Kermel 2.0.34 and with minor patching of the java, it is also effective. I
was sucessful in retrieving ANY LOCAL FILE with the World readable
attribute. This includes the /etc/passwd file! In netscape,
Edit>Preferences>Advanced>Disable Javascript in Mail and News will block
this exploit, unless the person has access to your web server.
