Netscape 2.01 & JavaScript

• To: www-security@ns2.rutgers.edu
• Subject: Netscape 2.01 & JavaScript
• From: John Robert LoVerso <loverso@osf.org>
• Date: Fri, 22 Mar 96 11:25:40 -0500
• cc: Rob Jenson <jenson@nasirc.hq.nasa.gov>

Last Saturday I wrote:

> > or if there is still a "privacy vulnerability" in Navigator 2.01.
> Not to my knowledge.

I have since produced examples of three exploits of JavaScript that work
with 2.01 (as long as JavaScript is enabled):

1. History tracking

	This is somewhat similar to the previous method I had developed
	for 2.0.  Whereas that previous approach just read the location
	from the user's window, this approach takes advantage of a
	known bug that allows JavaScript code to get "stuck" in a
	browser.  I was able to create this example because I found a
	reliable way of invoking this "stuck onload" bug.  My reliable
	method requirs an interaction from the user; namely pressing
	"CANCEL" on an unexpected "Save File" dialog box that suddenly
	appears (you'd press CANCEL, too, if that happened to you!).

	An example exploit of this is available at my URL.

2. Reading & retrieving directory listings

	This looks similar to the previous example by Tennyson (for
	2.0b3) and myself (for 2.0).  Internally, it does a significant
	amount of additional work to avoid the "loaded from same site"
	restriction added in 2.01.

	I have not yet made an example of this exploit available to
	anyone outside of Netscape.

3. Reading & retrieving files

	The implementation of HTTP file upload in Netscape 2.0
	took many measures to make sure a form couldn't be used to steal
	files.  In particular, filenames couldn't be defaulted in the form,
	but had to be entered by the user.  Additionally, JavaScript was
	denied access (read and write) to the filename.

	Basically, I found a way to set the filename in a in a file
	element of a form from JavaScript.  The example is short and
	unfortunately straightforward.  This approach requires a user
	to press a form button to trigger the file upload.  However,
	this could be any button on any form, without any indication
	that it was for a file upload.  That is, this could be the
	"Search" button at Alta Vista, or the "Get Another Fortune" at
	my own quote collection page.  Further, this approach could be
	used to upload a different file from the one user selected,
	without the user knowing that this has happened.

	This is simply an abuse of the HTTP file upload facility, something
	that was forseen by several people.

	I have not yet made an example of this exploit available to
	anyone outside of Netscape.

My examples, when available, are at http://www.osf.org/~loverso/javascript/.

My understanding from Netscape is that these problems will be fixed in an
early beta of 3.0, due in a month (or so).  Further, I think they will
be putting a confirmation dialog on form postings that includes instances
of mailto: and file upload.

Note that users of 2.01 can simply disable JavaScript to avoid these problems.

John Robert LoVerso
OSF Research Institute

• Previous: Re: Thanks for the downloading help!
• Next: No Subject
• Index(es):
  • Index
  • Thread