Re: Netscape Communicator 4.5 can read local files

From: Trev (trevat_private)
Date: Fri Nov 27 1998 - 05:07:36 PST

Next message: Keith Woodard: "Java Redirect Bug - Netscpape 4.0[678] and 4.5"

Previous message: Michael Teichmann: "Re: Netscape Communicator 4.5 can read local files"
Maybe in reply to: Georgi Guninski: "Netscape Communicator 4.5 can read local files"
Next in thread: Todd C. Campbell: "Re: Netscape Communicator 4.5 can read local files"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

After some 2,000 hits on my version of the "Guninski Exploit" in the last
couple of days, I have a pretty good idea of what's vulnerable and what's
not.  If it worked, it would call a specific CGI automatically, however
some people did try to call it manually.

It appears that the only version of Netscape 4.x that *ISN'T* vulnerable is
4.08 (both windoze and unix).  It gives the "security.checkread" error.
All other versions faithfully reported back the file contents many times.

The funny thing about 4.08 is that it asks the web server for
"java/io.class", which doesn't exist.  I don't know what the result would
be if such a thing did exist.  Since it fails due to a security.checkread,
I doubt it would make much difference.

Trev

Next message: Keith Woodard: "Java Redirect Bug - Netscpape 4.0[678] and 4.5"
Previous message: Michael Teichmann: "Re: Netscape Communicator 4.5 can read local files"
Maybe in reply to: Georgi Guninski: "Netscape Communicator 4.5 can read local files"
Next in thread: Todd C. Campbell: "Re: Netscape Communicator 4.5 can read local files"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:24:19 PDT