[9944] in bugtraq
Re: Netscape 4.51 Upgrade
daemon@ATHENA.MIT.EDU (Boyce, Nick)
Wed Mar 17 21:51:57 1999
Date: Wed, 17 Mar 1999 15:56:27 -0000
Reply-To: "Boyce, Nick" <nick.boyce@EDS.COM>
From: "Boyce, Nick" <nick.boyce@EDS.COM>
To: BUGTRAQ@NETSPACE.ORG
Chris Price asked :-
> Is it just me, or does anyone else see this as a gaping security hole
> for Netscape 4.5x users......
Well ...
This was reported by Georgi Guninski in a Bugtraq posting dated
23rd.November,1998, under the subject line "Netscape Communicator 4.5 can
read local files". A minor debate ensued about whether or not it was a
serious issue, at the end of which everybody agreed that this was a real
problem and plenty of exploit Javascripts had been written, some tailored to
Windows Netscape and some to Unix Netscape. Ben Collins posted a challenge
to the list on 25th.November,1998 to get someone to create a webpage which
would read a file called "/test.txt" from his client machine, and Terence C
Haddock managed to do that later the same day.
The last posting I saw was on 28th.November,1998 when Todd Campbell wrote :-
> Does anybody know what Netscape's stance is on this, do they have a
timeline?
... and I thought that was a very good question. I've scoured Netscape's web
site spaghetti, and can find no announcement one way or another as to
whether or not they agree there is a problem, or whether they intend to fix
it.
I think it's pretty damn serious. I think it's pretty weird that Netscape
don't even comment on the matter, either here or anywhere else. If Netscape
*has* in fact commented, I'd be grateful if someone could point me to the
right place.
> Nick Boyce
> [ Information Security Manager ]
> Systems Team, EDS Healthcare, Bristol, UK
>
