Date: Tue, 1 Jun 1999 19:08:49 +0300 From: Georgi Guninski To: BUGTRAQ@netspace.org Subject: Netscape Communicator "view-source:" security vulnerabilities There is a security vulnerability in Netscape Communicator 4.6 Win95, 4.07 Linux (probably all 4.x versions) in the way it works with "view-source:wysiwyg://1/javascript" URLs. It parses them in a "view-source" window. The problem is that it allows access to documents included in the parent document via ILAYER SRC="view-source:wysiwyg://1/" using find(). That allows reading the whole parsed document. Vulnerabilites: Browsing local directories Reading user's cache Reading parsed HTML files Reading Netscape's configuration ("about:config") including user's email address, mail servers and password. Probably others This vulnerability may be exploited by using HTML email message. Workaround: Disable JavaScript Netscape is notified about the problem. Demonstration is available at: http://www.nat.bg/~joro/viewsource.html Regards, Georgi Guninski http://www.nat.bg/~joro http://www.whitehats.com/guninski [ Part 2: "Attached Text" ] [ The following text is in the "koi8-r" character set. ] [ Your display is set for the "US-ASCII" character set. ] [ Some characters may be displayed incorrectly. ] There is a security vulnerability in Netscape Communicator 4.6 Win95, 4.07 Linux (probably all 4.x versions) in the way it works with "view-source:wysiwyg://1/javascript" URLs. It parses them in a "view-source" window. The problem is that it allows access to documents included in the parent document via ILAYER SRC="view-source:wysiwyg://1/" using find(). That allows reading the whole parsed document. Vulnerabilites: _________________________________________________________________________________________________________________________________ Browsing local directories Reading user's cache Reading parsed HTML files Reading Netscape's configuration ("about:config") including user's email address, mail servers and password. Probably others This vulnerability may be exploited by using HTML email message. _________________________________________________________________________________________________________________________________ Workaround: Disable JavaScript _________________________________________________________________________________________________________________________________ This demonstration tries to find your email address, it may take some time. Written by Georgi Guninski _________________________________________________________________________________________________________________________________ s="view-source:wysiwyg://1/javascript:s='vvvv>&>"" +"" +" blur();msg1=\"Your email is: \"; mend=\"general.\"+\"title_tips\";mag=\"mail.identity.useremail\"+\" = \";sp=\" \";res=mag;charstoread=50;" +"setTimeout(\" " +"for(i=0;i'"; //a=window.open(s); location=s; ----------------------------------------------------------------------------------------------------- There is a security vulnerability in Netscape Communicator 4.6 Win95, 4.07 Linux (probably all 4.x versions) in the way it works with "view-source:wysiwyg://1/javascript" URLs. It parses them in a "view-source" window. The problem is that it allows access to documents included in the parent document via ILAYER SRC="view-source:wysiwyg://1/" using find(). That allows reading the whole parsed document.
Vulnerabilites:

Browsing local directories
Reading user's cache
Reading parsed HTML files
Reading Netscape's configuration ("about:config") including user's email address, mail servers and password.
Probably others

This vulnerability may be exploited by using HTML email message.

Workaround: Disable JavaScript

This demonstration tries to find your email address, it may take some time.

Written by Georgi Guninski