Well yes and no. Netscape does have cross-domain security mechanisms. so w=open("http://www.far-away.com");alert(w.document.cookie); will fail because of that mechanism. Netscape protects parts of the DOM that are likely to contain sensitive stuff. That includes the location object, any form object, and I think m ost, if not all, of the document object. However, it doesn't block access to user-defined members of another page on another domain. So theorically, one could imagine a site A with a form, and a validation script that stores some of the form content in global variable, and an evil site B that gets open a window to site A and talk the user into filling the form, then keep polling specific global variables in hope to steal some data. Coming up with a practical attack is another matter. Hope that helps, Henri --- Avi Mozes <amozesat_private> wrote: > > > I found out that Netscape doesn't have security when > it comes to accessing sites from domain to domain. > This seems to work in 4.7x -- I have not tried it out yet > in Netscape 6. What this hole allows you to do is run > any Javascript (and VBScript) functions on any site > as well as change values of global variables. This > allows you to run functions that you shouldn't run or > set variables to values that could damage or allow > you to access information. > > The way it's done: have a page open (with a simple > window.open command using a window handle) any > site. > To run a function, run on the parent page: > winhandle.function(param); > To change any variable: > winhandle.var = value; > > One exploit is with cookies where you are able to get > and set cookies if the site has cookie functions. This > will make it able for you to set cookies from that > domain. If a site relies on Javascript or cookies for > some point of thier security system, this could be > even more damaging. And lastly, it can grab user > information if a user uses a page with this exploit and > continues to another domain opened by the page. > > Let me know your ideas on this. > Avi > amozesat_private __________________________________________________ Do You Yahoo!? Send FREE video emails in Yahoo! Mail! http://promo.yahoo.com/videomail/
This archive was generated by hypermail 2b30 : Thu Jan 10 2002 - 20:16:29 PST