Re: Netscape communicator 4.x Javascript security flaw

From: Ahmed Ghandour (ghandourat_private)
Date: Fri Nov 26 1999 - 10:03:16 PST

Next message: Jason Spence: "Page table protection on Intel"

Previous message: Marc Heuse: "SuSE Security Announcement - new security tools"
Maybe in reply to: Ahmed Ghandour: "Netscape communicator 4.x Javascript security flaw"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

>But you cannot use it to automatically grab form data as >was implied
>on the nsSecurityFlaw1.html page.
I know this but what you can do is overriden a global function like validForm(form)wich you can found in the crestar bank page with your own function and that way you can have access to his document.form object and also grab his customer number and pin code!
You can do one script to automatic overriden any javascript function in any page from any domain visit by the user! And this is a big security hole!

Thanks
Ahmed Ghandour

Netscape has a "persistent" navigator object, which means that any data put
in the window.navigator object will be accessible to every other window as long
as the browser is running. This is slightly worse than non-persistent cookies
since it works across domains. (not by much.. advertisers didn't wait for this
feature to track users from different sites)

Any window that somehow gets an handle to another window can look at it.
If you try to explore the objects inside that window, you'll see pretty much
every global function and variable defined on that window. But you cannot see
"sensitive" objects like document, history, location, etc..
This is mostly an attempt at not breaking compatibility with scripts developed
with previous versions of Navigator: Every object can be accessed except those
known to be sensitive.
It can be a problem if a script happens to copy sensitive data into global
variables. But you cannot use it to automatically grab form data as was implied
on the nsSecurityFlaw1.html page.

I'm surprised to see this working on a https page. A page loaded from a secure
server should be treated as a secure container ( just like pages containing
signed javascripts ) and should refuse any access from external source.

<A TARGET=nonlocal HREF="/external/http://developer.netscape.com/docs/manuals/communicator/jssec/contents.htm">http://developer.netscape.com/docs/manuals/communicator/jssec/contents.htm>

Regards,
Henri Torgemane

On Wed, 24 Nov 1999, Ahmed Ghandour wrote:
<FONT COLOR="#222255">> I found one problem wich affect probably all the Netscape browser 4.x if you want to know more details please check out in <A TARGET=nonlocal HREF="/external/http://people.magnet.com/~ghandour/">http://people.magnet.com/~ghandour/></FONT>
<FONT COLOR="#222255">></FONT>
<FONT COLOR="#222255">> Ahmed Ghandour</FONT>

Next message: Jason Spence: "Page table protection on Intel"
Previous message: Marc Heuse: "SuSE Security Announcement - new security tools"
Maybe in reply to: Ahmed Ghandour: "Netscape communicator 4.x Javascript security flaw"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:14:31 PDT