There is a design flaw in both Internet Explorer 5.0 and Netscape Communicator 4.51 Win95 (guess all 4.x versions of both browsers are vulnerable too) in the way they handle bookmarks. The problem arises if the user bookmarks (adds to favorites) and later chooses a specially designed "javascript:" URL. When the bookmark is chosen later, the JavaScript code in it is executed in the context (the same domain and protocol) of the document opened prior to choosing the bookmark. So, the JavaScript code has access to documents in the same domain. An interesting case is choosing the bookmark when the active document is a local file (the protocol is "file:") - then the JavaScript code has access to local files and directories. The vulnerabilities are more serious for Internet Explorer 5.0. Some of the vulnerabilities are: For Internet Explorer 5.0: Reading local files if the filename is known; Reading files in the domain of the active document (even if the web server is blocked by a firewall); Reading links in the active document and in documents in the same domain; Web spoofing of documents in the domain of the active document; Demonstration is available at: http://www.nat.bg/~joro/favorites.html For Netscape Communcator 4.51: Browsing local directories; Reading local files in the directory of the active document; Reading links in the active document and in documents in the same domain; Web spoofing of documents in the domain of the active document; Demonstration is available at: http://www.nat.bg/~joro/bookmarks.html Workaround: Disable JavaScript or do not bookmark untrusted pages Georgi Guninski http://www.nat.bg/~joro http://www.whitehats.com/guninski
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:45:28 PDT