COMMAND

    NS Communicator (javascript)

SYSTEMS AFFECTED

    WinNT, Linux with NSC 4.x

PROBLEM

    Georgi  Guninski  found  following.   There  is  a security bug in
    Netscape  Communicator  4.6  Win95,  4.07  Linux  (guess  all  4.x
    versions are affected)  in the way  they treat JavaScript  code in
    the title of the document.   One may embed JavaScript code in  the
    <TITLE> tag.  If the  info about  the document  is shown, then the
    JavaScript code is  executed. The info  about the document  may be
    infoked by a script using 'location="wysiwyg://1/about:document" '
    The  problem  is  that  the  JavaScript  code  is  executed in the
    security context of the "about:" protocol.  This allows  accessing
    documents  in  the  "about:"  protocol  such  as:   "about:cache",
    "about:config", "about:global", etc.

    Vulnerabilities:

      * Reading  user's  cache  and  accessing  information  such   as
        passwords, credit card numbers.
      * Reading info about the Netscape's configuration ("about:config").

    Last one includes finding user's email address, mail servers,  the
    encoded mail password (it must me saved and may be decoded).  This
    allows reading  user's email.   The more  dangerous part  is  that
    this  vulnerability  MAY  BE  EXPLOITED  USING  HTML MAIL  MESSAGE
    unless you're sanitizing your email. Anybody using an HTML-enabled
    mail client should at least  be aware of the availability  of this
    tool (procmail does not work on NetNews):

        ftp://ftp.rubyriver.com/pub/jhardin/antispam/procmail-security.html

    Demonstration is available at:

        http://www.nat.bg/~joro/titlecache.html

SOLUTION

    Workaround: Disable JavaScript