Bugtraq mailing list archives
More information about JavaScript bug
From: matthias.dominick () PN SIEMENS DE (Dominick Matthias PN OIL 6)
Date: Fri, 11 Jul 1997 16:07:00 +0200
It seems that some people didn't know what I was talking about so I'm going to explain it a little bit more in detail. First of all some people suggested to upgrade to Netscape Communicator 4.01 which is a not solution for us right now because we would have to upgrade thousands of PC's with a complete new version which means a lot of support for us because the gui changed so much. So for us it means to stay with version 3.x right now. I got the impression that people didn't realize I was talking about two different bugs: 1) the first one discovered by a Danish IS consultant company which enabled a site to retrieve a file from a client via the http protocol assuming location and name of the file was known to the site. To hide this action from the user the site would have to use JavaScript but in general (if you submitted forms to the site) it worked without JavaScript. 2) the second bug is totally JavaScript related and enables a site to monitor all activities (visited URL's) including *all* submissions into forms at *other* servers!! You can find more information incl. a live demonstration @ http://www.aleph2.com/tracker/ Imagine you visit a malicious site and afterwards you visit an online store giving your credit card number and/or password... # 1) was fixed with Netscape Communicator 4.01 and as far as I know bug # 2 wasn't publically known at this time so Netscape couldn't fix that bug. While Netscape promised to fix Netscape Navigator 3.01 shortly afterwards, nothing happened for quite a while. In the middle of this week I got aware of bug #2 and shortly afterwards Netscape released 3.02 saying that this version fixes bug #1 and another JavaScript bug found by an employee at Bell labs. At this time I wasn't sure if this was bug #2 or another one. Netscape promised to fix the Bell labs bug with Netscape communicator 4.02 so this would mean that 3.02 would be even safer than 4.01. So I downloaded 3.02 for Windows 95 and confirmed that bug #1 got fixed. However connecting with 3.02 @ tracker it will still track my URL's and form submissions. The programmer programmed an even better solution where - under normal circumstances you won't even realize that all your visits are tracked. Connecting with 4.01 to this site it still tries to track down my URL's but they don't get written to the log file so now I'm even more confused. What I have learned so far that either using 3.02 or 4.01 I will definitely disable JavaScript because in my opinion bug #2 can be *very* dangerous! I hope Netscape will shortly release a new version of Navigator and Communicator which will fix bug #2. Bye -- Matthias
Current thread:
- Vulnerability in Glimpse HTTP Razvan Dragomirescu (Jul 02)
- Re: Vulnerability in Glimpse HTTP Brian Gentry (Jul 02)
- Re: Vulnerability in Glimpse HTTP Jean-Christophe Touvet (Jul 03)
- Re: Vulnerability in Glimpse HTTP Paul Phillips (Jul 08)
- Re: Vulnerability in Glimpse HTTP Oliver Friedrichs (Jul 09)
- CERT Vendor-Initiated Bulletin VB-97.05 - Vul in Lynx Temporary Nicolas Dubee (Jan 01)
- Re: Vulnerability in Glimpse HTTP Martin Pool (Jul 10)
- It's not over yet. Aleph One (Jul 11)
- It's not over yet. Manley, Jim W (Jul 11)
- More information about JavaScript bug Dominick Matthias PN OIL 6 (Jul 11)
- new post SP3 hotfix: lm-fix Alex Libenson (Jul 12)
- Minor PGP vulnerability Harald Weidner (Jul 15)
- GetAdmin - Hotfix silent release ? Olivier Gerschel (Jul 16)
- Re: Minor PGP vulnerability Lucky Green (Jul 16)
- CERT Advisory CA-97.21 - SGI Buffer Overflow Vulnerabilities Aleph One (Jul 17)
- slight misinformation in CA-97.21 Dave Kormann (Jul 17)
- msg00234.html brush () SEARCH POL PL (Jul 17)
- CERT Vendor-Initiated Bulletin VB-97.05 - Vul in Lynx Temporary Aleph One (Jul 16)
- Sun Security Bulletin #00146 Aleph One (Jul 16)
- Sun CDE 1.0.1: login bug Isaac (Jul 28)
- Re: Vulnerability in Glimpse HTTP Brian Gentry (Jul 02)