Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Bugtraq> 1999_2

Bugtraq archives for 2nd quarter (Apr-Jun) 1999: Netscape Communicator bookmarks <TITLE> security vulnerability

Netscape Communicator bookmarks <TITLE> security vulnerability

Georgi Guninski (joroNAT.BG)
Sun, 16 May 1999 17:17:34 +0300

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Przemyslaw Frasunek: "Re: fts, du, find"
Previous message: John Daniele: "TGAD DoS"

This is a multi-part message in MIME format.
--------------F3105EC02EB2ADDFF54136DC
Content-Type: text/plain; charset=koi8-r
Content-Transfer-Encoding: 7bit

There is a security bug in Netscape Communicator 4.51 Win95, 4.07 Linux
(guess all 4.x versions are affected) in the way they handle special
bookmarks
with JavaScript code in the title.

If you enclose a JavaScript code with <SCRIPT> tags in the <TITLE>
tag and bookmark that page, the JavaScript code is written in the local
bookmarks file.
Then when the bookmarks file is open, the JavaScript code is executed in
the security
context of a local file - the bookmarks file.
The bookmarks file may be open by a script, probably a server redirect
or by the user.
The bookmarks file name must be known, but it is easily guessed for most
dialup
users.

Vulnerabilities: reading user's bookmarks, browsing local directories,
reading local files (works fine on Linux, probably possible on Windows).

Workaround: Disable JavaScript or do not bookmark untrusted pages.

Demonstration is available at: http://www.nat.bg/~joro/book2.html
See attached file for the source.

Georgi Guninski
 http://www.nat.bg/~joro
 http://www.whitehats.com/guninski
--------------F3105EC02EB2ADDFF54136DC
Content-Type: text/html; charset=koi8-r;
 name="book2.html"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
 filename="book2.html"

<SCRIPT> alert('Bookmarks got control'); s='Here are some bookmarks: \n'; for(i=1;i<7;i++) s += document.links[i]+'\n'; alert(s); dirToRead='wysiwyg://2/file://c:/'; a=window.open(dirToRead); s='Here are some files in C:\\ :\n'; for(i=1;i<7;i++) s += a.document.links[i]+'\n'; a.close(); alert(s); </SCRIPT> There is a security bug in Netscape Communicator 4.51 Win95, 4.07 Linux (guess all 4.x versions are affected) in the way they handle special bookmarks with Javascript code in the title.
If you enclose a JavaScript code with <SCRIPT> tags in the <TITLE> tag and bookmark that page, the JavaScript code is written in the local bookmarks file. Then when the bookmarks file is open, the JavaScript code is executed in the security context of a local file. The bookmarks file may be open by a script, probably a server redirect or by the user. The bookmarks file name must be known - easily guessed for most dialup users.

Vulnerability: reading user's bookmarks, browsing local directories, reading local files (works fine on Linux, probably possible on Windows).
Workaround: Disable JavaScript or do not bookmark untrusted pages.

To test it:
1) Bookmark this page.
2) Close all NC windows and restart NC.
3) Open bookmarks file (change the filename in the field below if needed and click "Open bookmarks", or use File| Open Page... )

Open bookmarks

Go to Georgi Guninski's home page

--------------F3105EC02EB2ADDFF54136DC--

Next message: Przemyslaw Frasunek: "Re: fts, du, find"
Previous message: John Daniele: "TGAD DoS"