Peter W wrote: > > As Netscape has not acknowledged my email or bug report from last week, > and one form of this vulnerability is currently being used, I have decided > it best to publicize this problem. > I can add something on this topic. Gioacchino La Vecchia (gioat_private) and me found the same problem and a couple of others (which I'll describe later in this posting) in January. We were checking how Communicator handles javascript in mail messages. We made some testing and in February decided to send a bug report to Netscape. We got an answer at the end of February after some mail exchange. Netscape told us that they couldn't include a fix in Communicator 4.51, which was "after final build", and asked for 8-10 weeks before we make the bugs public. We also got a "Bugs Bounty Recognition Package" ;), that is 1000$ and a T-shirt (500$ pro capite). After that, Communicator 4.51, 4.6 and 4.61 where released. Since we are working a lot, time passed and we almost forgot the problem. The bottom line is that if I'll find some other bug, Netscape will know about it with the bugtraq moderator ;) Now to the bugs. As I said, we were working on javascript in mail messages, so we noticed this bug in mail messages. A message sent to a public mailing list or a spam message can leave a "mark" in your cookies database that can be read by any other message (or web page?). If I remember correctly, we tested this also on Explorer and it worked. Now the default setting is that javascript in mail messages is disabled, but the bug is not fixed. As you noticed, "same origin" is not enforced. Another partially fixed bug is that with wysiwig://0/mailbox:/home/claudio/nsmail/Inbox?number=2 you can access the first message of the mailbox. We used window.open("wysiwig://0/mailbox:/home/claudio/nsmail/Inbox?number=2") With the original bug, you could access document.links[] and get the addresses of sender, recipient etc. Now you can still get document.title, which is the subject of the message. If you try other values instead of 2, you can get the offset of the beginning of another message in the mailbox and work on it, or else Communicator will crash. The original report can be found at http://metalab.unc.edu/gio/papers/netscape/netscape.html ciao - Claudio
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:52:26 PDT