[16413] in bugtraq
Re: MDKSA-2000:036 - netscape update
daemon@ATHENA.MIT.EDU (Kris Kennaway)
Mon Aug 28 12:12:55 2000
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id: <Pine.BSF.4.21.0008280851480.68105-100000@freefall.freebsd.org>
Date: Mon, 28 Aug 2000 08:54:26 -0700
Reply-To: Kris Kennaway <kris@FREEBSD.ORG>
From: Kris Kennaway <kris@FREEBSD.ORG>
X-To: Linux Mandrake Security Team <security@LINUX-MANDRAKE.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <20000821140128.A21910@mandrakesoft.com>
On Mon, 21 Aug 2000, Linux Mandrake Security Team wrote:
> Problem Description:
>
> There exists a problem in all versions of Netscape from 4.0 to 4.74
> with Java enabled. Under certain conditions, Netscape can be turned
> into a server that serves files on your local hard drive that Netscape
> has read access to and remote people can access it by connecting their
> web client to port 8080 on your machine if they know the IP address.
> This vulnerability has been fixed in Netscape 4.75.
This is not the vulnerability at all, but a single instance of an exploit
for it.
IMO, this advisory is misleading since just blocking port 8080 does not
work around the problem.
Kris
--
In God we Trust -- all others must submit an X.509 certificate.
-- Charles Forsythe <forsythe@alum.mit.edu>
