Re: Netscape Exploit... with technical details.

[phear () OUTLAWLABS COM NO SPAM (Phear)]

Edwin Li-Kai Liu wrote:

> Rusty Conover wrote:
>
> > In my method JavaScript would have to be used to automatically
> submit
> > a
> > HTML Form to the server.  In these forms a page writer could have
> > already coded the file name into the source document, such as
> > "autoexec.bat".  When the browser loads the page off of the server,
> it
> > submits the form which transmits the file to the server via the
> > HTTP-File upload procedure.  The SERVER now has the file the author
> > wanted.  To fool the user, the CGI program sends the location of the
>
> > real web page to the client, and the client doesn't know otherwise.
> >
> > This method would require the files to be small or else the user
> will
> > notice this is taking a long time to load the page over a modem.
> But
> > the potential for this exploit to be used over faster transmission
> > lines
> > is greater.
> >
> > To have a solution to this problem would be a warning dialog box,
> > telling the user that they are transmitting a file not just a
> regular
> > HTTP form.  I have not written a single line of code exploiting this
>
> > potential vulnerability,  I might get around to it if I have time.
> >
> > Please note:  I sent this original message 1 day (June 12) before to
>
> > Netscape and now they confirm that my hypothesis was correct on the
> > URL:
> >
> > http://home.netscape.com/misc/security_update.html
>
> Yes, this is absolutely correct. You have proved my points also.
> Please
> see my message on netscape.security newsgroup, titled "Re: Security
> BUG".
>
> I have then post the same message to other newsgroups one day after,
> which is today. I want public to know the truth, instead of being
> panic.
> The following is the original message.
>
> <snip>

Well, I would be MORE than excited to see some code for this.  When I
saw the story on CNN, I immediately
went to work and tried to duplicate it.  The only thing I could think of
that would allow the retrieval of files was the
<INPUT TYPE="File"> form element, which sends the file as ENCTYPE
multipart/form-data.  I wrote a little
shell script to display everything that the form sent, and I wrote the
web page, with three javascript functions.  One
to load up the File box with the filename, one to press the submit
button, and a function to be called by the body onload event.

It's a great idea, but I think Netscape has already thought of it
because every attempt to load the file box programmatically
resulted in a javascript error pointing out that the File input type was
READ-ONLY.  I even made it a textbox first,
and then tried to change the type after loading the filename:
    document.form.textbox.value="c:\windows\someone.pwl"
    document.form.textbox.type="file"

And it still doesn't work.  So, while this seems to be the only place I
can think of for the bug, all attempts at exploiting
it have failed.  Unless you can get around the read-only state of the
file input box, I don't know how it can work.

Anyway, my two cents..

phear