Opera and Netscape browsers allow you to include java methods calls in your javascript . As Javascript has support for objects you can use objects returned by these calls in your scripts . I have been looking for information about the possibly security implications ( and vulnerabilities published ) that this could have , but have found nothing . Doing some test by myself this is what I have found . Opera 6.01 If you use Opera 6.01 you can make calls to Java exec function , which executes the command line passed to it . This means you can execute any program . Here is a small demonstration http://usuarios.lycos.es/idoru/petaopera.html The second link executes windows calculator . The first link executes verifier.exe , a W2000/XP program , causing a buffer overflow in it ( W2000 server is full of command line buffer overflows ), this means that just visiting a webpage ( a malicious site or a post in a forum ) code can be executed in your machine with user priviliges . Besides , playing with sockets from javascript you can obtain the local Ip address with var host=java.net.InetAddress.getLocalHost(); and use it to connect to an arbitrary local tcp port on your IP . If you are connected to a LAN , you can connect with every socket in your LAN interface.This means that with viewing some post in a forum , a script can connect to a port on your PC and send and recieve data ( as classes like InputDataStram can be used as well ). A new type of cross site scripting focused in exploiting vulnerable services . An example can be found here , connection to port 139 can be tracked with netstat ( before closing the browser ) http://usuarios.lycos.es/idoru/sockets.html Opera 7.02 and Netscape 7.02 Both browsers donīt allow to make java calls to determinate methods . Well , are allowed by they return a null . You can`t execute exec or delete , just methods like java.io.File.exists() or java.io.File.list() but you can still execute sockets . Fourtunately , I wasnīt able of retriving another IP different from localhost when the script is executed in the server , but it works fine if you email the webpage , establishing the connection with port 139 . I donīt know if there is an alternative method of retrieving a visitor's IP address from java or javascript but if there is this can be exploitable via cross site scripting . Email sockets.html to you or open it locally and you will see a connection with netstat . Regards , David F.Madrid , Madrid , Spain
This archive was generated by hypermail 2b30 : Thu Apr 03 2003 - 14:36:23 PST