[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Tricky Netscape Security Hole
Yes it's full of headers, but it's the complete, unexpurgated version.
If this theory is correct, this IS FAR WORSE THAN A 40 bit key.
I saw the livescript on the source code.
I use 1.22 for image stability right now, though.
Yes it's a came from, a came from, a came from kinda deal,
but in the interest of security brevity it "seems real enough" to me.
>Posted-Date: Mon, 4 Dec 1995 12:57:21 -0600
>X-Sender: [email protected]
>Date: Mon, 4 Dec 1995 10:51:56 -0700
>To: [email protected]
>From: [email protected] (We're a Comglomerate) (by way of [email protected]
> (Jeffrey Logsdon))
>Subject: Tricky Netscape Security Hole
>Anybody else see this happening?
>Eternal Vigilance, and all that.
>- ------- Start of forwarded message -------
>>From: Scott Weston <[email protected]>
>>Subject: Netscape 2.0b2 allows for invasion of privacy
>>Date: Fri, 01 Dec 1995 11:09:06 +1100
>Hi 'Net Dwellers,
>First off - I've posted this before (however not to this group) and only
>got a response from the Netscape Corp. They were glad I found the
>problem and said that they would fix it, however I feel that people
>should know about it. Also I would like people to help me spread this
>document around, i.e. if you know of a newsgroup (or people) that would
>find this interesting then please re-postit.
>On with the problem...
>I've recently got hold of the latest netscape, and was (at first) very
>excited about the new "LiveScripts" that it supports. If people don't
>yet know - these "LiveScripts" allow you to put small programs into your
>web page that is then executed by the Netscape client. There is no
>DIRECT way for these programs to send information back to the owner of
>the web page, however I was able to do it in a not-so-direct way.
>The "LiveScript" that I wrote extracts ALL the history of the current
>netscape window. By history I mean ALL the pages that you have visited
>to get to my page, it then generates a string of these and forces the
>Netscape client to load a URL that is a CGI script with the QUERY_STRING
>set to the users History. The CGI script then adds this information
>to a log file. Now if this hasn't quite CLICKED yet lets do a little
>Johnny Mnemonic starts up his newly acquired version of Netscape2.0b2
>to start his daily "surf" session. First he decides to check his CD-NOW
>purchase and uses the handy Auto-Login URL. Then he decides to go to
>Lycos and do a search. In his search he find my page, which he decides
>to visit. Suddenly he is transported, not to my main page but to one
>of my CGI scripts, which in turn happens to have ALL the URL's he just
>been to in it. This means that in my log will be:
> - the URL to use to get into CD-NOW as Johnny Mnemonic, including
> username and password.
> - The exact search params he used on Lycos (i.e. exactly what he
> searched for)
> - plus any other places he happened to visit.
>I do this in a way that the user will KNOW that it has happened and
>will _hopefully_ email Netscape and tell them they are NOT impressed.
>But it would be EASY for me to change the CGI script so that the user
>is unaware that it has actually happened, unless they closely examine
>their URL history (in fact they'll probably just think its a netscape
>If you're skeptical about this then do the test yourself. Get netscape
>2.0b2 and do some normal surfing, and then go to Lycos. Do a search for:
> scotts car boot sale
>which should return the URL - http://www.tripleg.com.au/staff/scott
>Click on the URL and sit back an watch. First my main page will show up
>but a little while later you should be transported to a CGI bin script
>that will show you your URL history.
>I have tested this with both the Linux 2.0b2, and Solaris 2.0b2 versions
>and both have done the same thing. I would be interested in knowing if
>it happens for ALL versions of Netscape2.0b2. The log file does log
>the User Agent (i.e. the name of the platform you are using) so by simply
>going to the page I will know that your version of Netscape is also
>open to this form of attack.
>Currently I can find no way to configure Netscape2.0b2 to NOT run
>LiveScripts - and at the very least this option should be quickly
>added to the next version of netscape to be released. But a far
>better solution (IMHO) would be for netscape to pop up a window before
>running the LiveScript and let you know what the LiveScript wants access
>to, e.g. if it only wants to print out the current time then that's
>OK, but if it wants to read my history list and then transport me to
>a CGI script and add me to a logfile then maybe I would say NO.
>I think I've said enough....
>If you've got any further questions, or want some more information just
>email me : [email protected]
>Quote from a car accident insurance claim: "I told the police that I was
>not injured, but on removing my hat, I found that I had a skull fracture."
>- ------- End of forwarded message -------
Thaddeus "Doc" Ozone <http://www.winternet.com/~drozone/>
"Specialization is for insects." -RAH
"I yam what I yam and that's all what I yam!" -Popeye