[8634] in bugtraq
Re: Netscape Communicator 4.5 can read local files
daemon@ATHENA.MIT.EDU (Terence Christopher Haddock)
Wed Nov 25 15:18:29 1998
Date: Wed, 25 Nov 1998 14:22:12 -0500
Reply-To: thaddock@poboxes.com
From: Terence Christopher Haddock <haddock@UDEL.EDU>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <19981125124832.D3883@visi.net>
Ben Collin's file contains the text "this is really stupid.". He's
running an UNIX version of Netscape, so I had to modify the script.
Unfortunately, the following does not work under both UNIX and Windows:
sl=window.open("wysiwyg://1/file://");
It works under UNIX, but not under Windows. A simple check of the
OS would take care of the distinction, however, so that wouldn't slow any
would-be hackers down. Also, if they know their target, then they know
what kind of OS they're dealing with.
Sincerely,
Terence C. Haddock
University of Delaware
On Wed, 25 Nov 1998, Ben Collins wrote:
> I would just like to say that I find it hard to believe so much fuss has
> been made about this. It is clear that this is only a local 'trick' to
> look like it has gotten info. There used to be earlier versions of this
> where ppl would make a link to file:///C|/ and say they had your hardrive
> contents on their webpage, and now that java/javascript is involved
> everyone is freaking out over the same thing just done a litte more
> elaborately.
>
> If some one here can setup a webpage, send me the URL, have that page read
> the file '/test.txt' from my hardrive and then that person send the
> contents to this list, I will believe. Otherwise I think this whole
> hysteria over 'unforseen' dangers should stop.
>
> --
> ----- -- - -------- --------- ---- ------- ----- - - --- --------
> Ben Collins <b.m.collins@larc.nasa.gov> Debian GNU/Linux
> UnixGroup Admin - Jordan Systems Inc. bcollins@debian.org
> ------ -- ----- - - ------- ------- -- The Choice of the GNU Generation
>
