💾 Archived View for spam.works › mirrors › textfiles › hacking › javabugs.txt captured on 2023-11-04 at 13:23:17.
⬅️ Previous capture (2023-06-14)
-=-=-=-=-=-=-
JAVASCRIPT PROBLEMS I'VE DISCOVERED
These have all been reported back to Netscape.
The press had a spotty record of reporting correctly on this. I've
prepared a small report on the stories I've seen. I'm amazed at how
inaccurate some of the stories are! You'd think that they would have
at least read some of what I've written!
If you see an article in the press mentioning these pages, please
let me know.
_________________________________________________________________
* (4/1) I will be making the 3/18 and 3/21 exploits available
shortly, since they are fixed in 3.0b2. -->
* (3/29) Netscape has gotten some fixes into 3.0b2. Of my three
exploits that I reported against 2.01, only the new history
tracker continues to work (I.e., the others were fixed in response
to my report).
* (3/22) Here is a note to the www-security list I wrote describing
the latest problems I know affecting 2.01.
* (3/21) I have a means (using 2.0 or 2.01) to read and retrieve
files off a user's disk. It requires a minimal forms interaction
by the user (MEANING: the user has to click on something to invoke
the file read). I am not making this exploit available at this
time.
* (3/18) I have modified the "directory browser" exploit such that
it works with 2.01. I am not making this exploit available at
this time.
* (3/18) Building on the item I discovered on 3/15, I found that if
I click on Cancel in the Save dialog, it invokes the "stuck
onload" bug I reported on 2/21 in a determinist fashion. Trying to
create such a repeatable incarnation of this bug is what lead me
to my "tracker" in the first place.
Anyway, utilizing a Save File dialog as the initiator, this lets
me build a history tracker that works with 2.01. I've created a
sample exploit. This writes the the same log as my 2/22 tracker,
so use this to view the tail of the logfile.
Note that with 2.01, the 1x1 window previously used ends up being
bigger, so you can easily see it flash. And, the "stuck onload"
gets "unstuck" by visiting another page with an onLoad() tag. This
may not be a very intriguing way to spy on someone.
* (3/15) NOTE: This item in and of itself is not necessarily a
security problem.
JavaScript loaded from some page can write to local files on your
disk. This info is from my news posting to the devs-javascript
group. This is the basic bit of code:
document.open("Can I write to your disk?")
document.write("<censored>")
document.close()
This trick requires the user to go through a File Save dialog, and
hence, is not transparent. The user chooses the file name, but I'm
able to write to disk none-the-less. This is quite against the
stated fact that JavaScript is "Secure. Cannot write to hard disk"
- and this works in 2.01.
Try my example.
For me, this always caused a GPF on Windows NT. That is, once the
File Save dialog appeared, no matter what I selected, it went
poof! It seems to core dump the UNIX version of Navigator if you
don't open up a new window relatively fast (i.e., before you go to
some other JavaScript laden page). I've found that nasty things
begin to happen if you click on Cancel in the Save dialog (see
3/18 for details).
Note that the file never gets closed until you exit Netscape, so
small writes tend to get buffered up and not output.
These above mentioned bugs with this mechanism initially lead me
to believe that the ability to write files was errantly added to
JavaScript. Brendan Eich has since informed me that this ability
is intentional, or at least, known about.
* (2/22) I discovered a way to make my JavaScript stay resident in a
new window, so that I can track your history in real time.
This problem has been fixed in Netscape-2.01; see Netscape's
security note on Java and JavaScript.
You can read the original article I posted to the RISKS Forum on
this problem. That whole issue is also available in the archive in
the UK. Another article of interest appeared Keith Dawson's TBTF
on Feb 28.
* (2/21) I've seen JavaScript stay resident after you leave a page.
This is what I call the "stuck onload()" problem, and is a BUG
(still in 2.01).
* (2/13) The bug in Netscape 2.0b3 that allowed JavaScript to
directory browse lives on in the 2.0 release, even after
Netscape told us it was fixed.
This is fixed in Netscape-2.01.
* This is a classified as a red herring, but JavaScript has the
ability to toss up arbitrary alert boxes. I used to have this one
pop up on my home page. I wanted this message to sound really bad.
This was before I wrote the tracker. A more interesting message
would be Please type your password or something similar.
* There are hundreds of exciting things to do with Netscape 2.0 and
JavaScript.
WARNING: viewing this page may damage or crash Netscape.
_________________________________________________________________
John Robert LoVerso, OSF Research Institute
Last modified on Monday, 01-Apr-96 14:51:07 EST.
This page accessed 16247 times.