Georgi Guninski wrote: > There is a bug in Netscape Communicator 4.5 for Windows 95 and 4.05 for > WinNT 4.0 > (probably others) which allows reading files from the user's computer. > It is not necessary the file name to be known, because directories may > be browsed. > The contents of the file may be sent to an arbitrary host. In order this > to work, you need both Java and Javascript > enabled. The bug may be exploited by email message. > > Demonstration is available at: > http://www.geocities.com/ResearchTriangle/1711/b6.html > > Workaround: Disable Javascript or Java. > I have just tested this bug in Netscape 4.5 on a RedHat Linux 5.1 machine, Kermel 2.0.34 and with minor patching of the java, it is also effective. I was sucessful in retrieving ANY LOCAL FILE with the World readable attribute. This includes the /etc/passwd file! In netscape, Edit>Preferences>Advanced>Disable Javascript in Mail and News will block this exploit, unless the person has access to your web server.
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:24:10 PDT