[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Netscape Bug Reproduced




Subject: Netscape privacy problem reproduced at EIFIST
Date:    6/16/97 5:34 PM
     
Netscape privacy problem:
     
Using information gleaned from the web site of the Danish company that 
first reported the problem, Keith Woodard and Dave Humphrey at EIFIST 
have built a web page which reproduces the privacy problem in Netscape 
Navigator and Communicator web browsers.  From that effort they have 
developed a better understanding of how the Netscape bug works, and what 
defensive measures users can take until a bugfix is available from 
Netscape.
     
First, the problem is indeed read-only, and involves only files to which 
the explicit path name is known.  Second, all file systems accessible 
from the Netscape user's system are reachable -- that means mapped 
network drives as well as the local hard disk.  Third, JavaScript can be 
used by a web site to automate reading a user's file so that it is 
invisible to the user.  However, the bug does not involve use of Java at 
all.
     
The demo website can be visited at the following URL:
     
     http://eifist.frb.org/hacker/fileupload.html
     
Please urge all Internet web users to take the following interim steps until a
permanent fix is available from Netscape:
     
*  In Navigator 3.x and 2.x, go to the Options menu and select Security 
   Preferences. Select the "Submitting a Form Insecurely" preference to  
   enable that warning dialog box.  This will generate a warning box 
   whenever a site tries to upload a form, giving the user a chance to 
   decide whether to allow it.
     
*  Also, in Navigator 3.x and 2.x, go to the Options menu and select
   Network Preferences.  Turn OFF the "Enable JavaScript" preference. 
   This will block execution of JavaScript code which might try to 
   perform an invisible file upload, while permitting display of the     
   rest of the page.
     
These measures are temporary until a full bug fix is made 
available by Netscape and proven against the EIFIST demo page.  
     
Regards