[Previous] [Next] [Index]
[Thread]
Netscape 2.01 & JavaScript
Last Saturday I wrote:
> > or if there is still a "privacy vulnerability" in Navigator 2.01.
> Not to my knowledge.
I have since produced examples of three exploits of JavaScript that work
with 2.01 (as long as JavaScript is enabled):
1. History tracking
This is somewhat similar to the previous method I had developed
for 2.0. Whereas that previous approach just read the location
from the user's window, this approach takes advantage of a
known bug that allows JavaScript code to get "stuck" in a
browser. I was able to create this example because I found a
reliable way of invoking this "stuck onload" bug. My reliable
method requirs an interaction from the user; namely pressing
"CANCEL" on an unexpected "Save File" dialog box that suddenly
appears (you'd press CANCEL, too, if that happened to you!).
An example exploit of this is available at my URL.
2. Reading & retrieving directory listings
This looks similar to the previous example by Tennyson (for
2.0b3) and myself (for 2.0). Internally, it does a significant
amount of additional work to avoid the "loaded from same site"
restriction added in 2.01.
I have not yet made an example of this exploit available to
anyone outside of Netscape.
3. Reading & retrieving files
The implementation of HTTP file upload in Netscape 2.0
took many measures to make sure a form couldn't be used to steal
files. In particular, filenames couldn't be defaulted in the form,
but had to be entered by the user. Additionally, JavaScript was
denied access (read and write) to the filename.
Basically, I found a way to set the filename in a in a file
element of a form from JavaScript. The example is short and
unfortunately straightforward. This approach requires a user
to press a form button to trigger the file upload. However,
this could be any button on any form, without any indication
that it was for a file upload. That is, this could be the
"Search" button at Alta Vista, or the "Get Another Fortune" at
my own quote collection page. Further, this approach could be
used to upload a different file from the one user selected,
without the user knowing that this has happened.
This is simply an abuse of the HTTP file upload facility, something
that was forseen by several people.
I have not yet made an example of this exploit available to
anyone outside of Netscape.
My examples, when available, are at http://www.osf.org/~loverso/javascript/.
My understanding from Netscape is that these problems will be fixed in an
early beta of 3.0, due in a month (or so). Further, I think they will
be putting a confirmation dialog on form postings that includes instances
of mailto: and file upload.
Note that users of 2.01 can simply disable JavaScript to avoid these problems.
John Robert LoVerso
OSF Research Institute