Bugtraq mailing list archives
Re: Netscape Communicator 4.5 can read local files
From: sven () MSC-MEDIA DE (Sven Carstens)
Date: Wed, 25 Nov 1998 21:58:46 +0100
I have just tested this bug in Netscape 4.5 on a RedHat Linux 5.1 machine, Kermel 2.0.34 and with minor patching of the java, it is also effective. I was sucessful in retrieving ANY LOCAL FILE with the World readable attribute. This includes the /etc/passwd file! In netscape, Edit>Preferences>Advanced>Disable Javascript in Mail and News will block this exploit, unless the person has access to your web server.
I tried it with Kernel 2.0.35 and Netscape 4.08. java40.jar is 1886016 bytes Okt 13 19:14 All I get is this Message : JavaScript Error: uncaught Java exception netscape/security/AppletSecurityException ("security.checkread: Read of '/tmp/test' not permitted")
Current thread:
- Re: Netscape Communicator 4.5 can read local files, (continued)
- Re: Netscape Communicator 4.5 can read local files Ryan Russell (Nov 24)
- Re: Netscape Communicator 4.5 can read local files Ben Collins (Nov 25)
- APC PowerNet SNMP Adapter Security Issues - Beta Firmware Paul Mansfield (Nov 25)
- Re: Netscape Communicator 4.5 can read local files Pavel Kankovsky (Nov 25)
- Re: Netscape Communicator 4.5 can read local files Terence Christopher Haddock (Nov 25)
- Re: Netscape Communicator 4.5 can read local files Ben Collins (Nov 25)
- Re: Netscape Communicator 4.5 can read local files Terence Christopher Haddock (Nov 25)
- XFree86 3.3.3 Released Aleph One (Nov 25)
- Re: Netscape Communicator 4.5 can read local files Trev (Nov 25)
- Re: Netscape Communicator 4.5 can read local files Ben Collins (Nov 25)
- Re: Netscape Communicator 4.5 can read local files Ryan Russell (Nov 24)
- Re: Netscape Communicator 4.5 can read local files kpm (Nov 25)
- Re: Netscape Communicator 4.5 can read local files Sven Carstens (Nov 25)
- Re: Netscape Communicator 4.5 can read local files Michael Teichmann (Nov 26)
- Re: Netscape Communicator 4.5 can read local files Trev (Nov 27)
- Java Redirect Bug - Netscpape 4.0[678] and 4.5 Keith Woodard (Nov 27)
- ipfwadm has pseudo-DoS ;) Domas Mituzas (Nov 28)
- Debian: Security flaw in FSP Vanja Hrustic (Nov 28)
- Debian: Security flaw in FSP David Damerell (Nov 30)
- RSI.0010a.11-29-98.IRIX.AUTOFSD RSI Advise (Nov 29)
- Re: Netscape Communicator 4.5 can read local files Todd C. Campbell (Nov 30)