💾 Archived View for gemini.spam.works › mirrors › textfiles › hacking › javabugs.txt captured on 2021-12-04 at 18:04:22.

View Raw

More Information

-=-=-=-=-=-=-

                      JAVASCRIPT PROBLEMS I'VE DISCOVERED
                                       
   These have all been reported back to Netscape.
   
   The press had a spotty record of reporting correctly on this. I've
   prepared a small report on the stories I've seen. I'm amazed at how
   inaccurate some of the stories are! You'd think that they would have
   at least read some of what I've written!
   
     If you see an article in the press mentioning these pages, please
     let me know.
     
   
     _________________________________________________________________
   
     * (4/1) I will be making the 3/18 and 3/21 exploits available
       shortly, since they are fixed in 3.0b2. -->
       
     * (3/29) Netscape has gotten some fixes into 3.0b2. Of my three
       exploits that I reported against 2.01, only the new history
       tracker continues to work (I.e., the others were fixed in response
       to my report).
       
     * (3/22) Here is a note to the www-security list I wrote describing
       the latest problems I know affecting 2.01.
       
     * (3/21) I have a means (using 2.0 or 2.01) to read and retrieve
       files off a user's disk. It requires a minimal forms interaction
       by the user (MEANING: the user has to click on something to invoke
       the file read). I am not making this exploit available at this
       time.
       
     * (3/18) I have modified the "directory browser" exploit such that
       it works with 2.01. I am not making this exploit available at
       this time.
       
     * (3/18) Building on the item I discovered on 3/15, I found that if
       I click on Cancel in the Save dialog, it invokes the "stuck
       onload" bug I reported on 2/21 in a determinist fashion. Trying to
       create such a repeatable incarnation of this bug is what lead me
       to my "tracker" in the first place.
       
       Anyway, utilizing a Save File dialog as the initiator, this lets
       me build a history tracker that works with 2.01. I've created a
       sample exploit. This writes the the same log as my 2/22 tracker,
       so use this to view the tail of the logfile.
       
       Note that with 2.01, the 1x1 window previously used ends up being
       bigger, so you can easily see it flash. And, the "stuck onload"
       gets "unstuck" by visiting another page with an onLoad() tag. This
       may not be a very intriguing way to spy on someone.
       
     * (3/15) NOTE: This item in and of itself is not necessarily a
       security problem.
       
       JavaScript loaded from some page can write to local files on your
       disk. This info is from my news posting to the devs-javascript
       group. This is the basic bit of code:

        document.open("Can I write to your disk?")
        document.write("<censored>")
        document.close()
   
       
       This trick requires the user to go through a File Save dialog, and
       hence, is not transparent. The user chooses the file name, but I'm
       able to write to disk none-the-less. This is quite against the
       stated fact that JavaScript is "Secure. Cannot write to hard disk"
       - and this works in 2.01.
       
       Try my example.
       
       For me, this always caused a GPF on Windows NT. That is, once the
       File Save dialog appeared, no matter what I selected, it went
       poof! It seems to core dump the UNIX version of Navigator if you
       don't open up a new window relatively fast (i.e., before you go to
       some other JavaScript laden page). I've found that nasty things
       begin to happen if you click on Cancel in the Save dialog (see
       3/18 for details).
       
       Note that the file never gets closed until you exit Netscape, so
       small writes tend to get buffered up and not output.
       
       These above mentioned bugs with this mechanism initially lead me
       to believe that the ability to write files was errantly added to
       JavaScript. Brendan Eich has since informed me that this ability
       is intentional, or at least, known about.
       
     * (2/22) I discovered a way to make my JavaScript stay resident in a
       new window, so that I can track your history in real time.
       
       This problem has been fixed in Netscape-2.01; see Netscape's
       security note on Java and JavaScript.
       
       You can read the original article I posted to the RISKS Forum on
       this problem. That whole issue is also available in the archive in
       the UK. Another article of interest appeared Keith Dawson's TBTF
       on Feb 28.
       
     * (2/21) I've seen JavaScript stay resident after you leave a page.
       This is what I call the "stuck onload()" problem, and is a BUG
       (still in 2.01).
       
     * (2/13) The bug in Netscape 2.0b3 that allowed JavaScript to
       directory browse lives on in the 2.0 release, even after
       Netscape told us it was fixed.
       
       This is fixed in Netscape-2.01.
       
     * This is a classified as a red herring, but JavaScript has the
       ability to toss up arbitrary alert boxes. I used to have this one
       pop up on my home page. I wanted this message to sound really bad.
       This was before I wrote the tracker. A more interesting message
       would be Please type your password or something similar.
       
     * There are hundreds of exciting things to do with Netscape 2.0 and
       JavaScript.
       WARNING: viewing this page may damage or crash Netscape.
       
   
     _________________________________________________________________
   
    John Robert LoVerso, OSF Research Institute
    
    Last modified on Monday, 01-Apr-96 14:51:07 EST.
    This page accessed 16247 times.