Re: Communicator 4.[56]x,

From: Claudio Telmon (claudioat_private)
Date: Tue Jul 13 1999 - 13:56:37 PDT

Next message: john_smithat_private: "Solaris 2.6/7 NTP permissions problem"

Previous message: Kev: "Re: ircd exploit in ircu based code"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Peter W wrote:
>
> As Netscape has not acknowledged my email or bug report from last week,
> and one form of this vulnerability is currently being used, I have decided
> it best to publicize this problem.
>

I can add something on this topic. Gioacchino La Vecchia (gioat_private)
and me found the same problem and a couple of
others (which I'll describe later in this posting) in January. We were
checking how Communicator handles javascript in mail messages. We made
some testing and in February decided to send a bug report to Netscape.
We got an answer at the end of February after some mail exchange.
Netscape told us that they couldn't include a fix in Communicator 4.51,
which was "after final build", and asked for 8-10 weeks before we make
the bugs public. We also got a "Bugs Bounty Recognition Package" ;),
that is 1000$ and a T-shirt (500$ pro capite).

After that, Communicator 4.51, 4.6 and 4.61 where released.
Since we are working a lot, time passed and we almost forgot the
problem.
The bottom line is that if I'll find some other bug, Netscape will know
about it with the bugtraq moderator ;)

Now to the bugs. As I said, we were working on javascript in mail
messages, so we noticed this bug in mail messages. A message sent to a
public mailing list or a spam message can leave a "mark" in your cookies
database that can be read by any other message (or web page?).
If I remember correctly, we tested this also on Explorer and it worked.

Now the default setting is that javascript in mail messages is disabled,
 but the bug is not fixed. As you noticed, "same origin" is
not enforced.

Another partially fixed bug is that with

wysiwig://0/mailbox:/home/claudio/nsmail/Inbox?number=2

you can access the first message of the mailbox.

We used

window.open("wysiwig://0/mailbox:/home/claudio/nsmail/Inbox?number=2")

With the original bug, you could access document.links[] and get the
addresses of sender, recipient etc. Now you can still get
document.title, which is the subject of the message. If you try other
values instead of 2, you can get the offset of the beginning of another
message in the mailbox and work on it, or else Communicator will crash.

The original report can be found at

http://metalab.unc.edu/gio/papers/netscape/netscape.html

ciao

- Claudio

Next message: john_smithat_private: "Solaris 2.6/7 NTP permissions problem"
Previous message: Kev: "Re: ircd exploit in ircu based code"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:52:26 PDT