128 lines
5.6 KiB
Plaintext
128 lines
5.6 KiB
Plaintext
|
JAVASCRIPT PROBLEMS I'VE DISCOVERED
|
||
|
|
|
||
|
|
These have all been reported back to Netscape.
|
||
|
|
|
||
|
|
The press had a spotty record of reporting correctly on this. I've
|
||
|
|
prepared a small report on the stories I've seen. I'm amazed at how
|
||
|
|
inaccurate some of the stories are! You'd think that they would have
|
||
|
|
at least read some of what I've written!
|
||
|
|
|
||
|
|
If you see an article in the press mentioning these pages, please
|
||
|
|
let me know.
|
||
|
|
|
||
|
|
|
||
|
|
_________________________________________________________________
|
||
|
|
|
||
|
|
* (4/1) I will be making the 3/18 and 3/21 exploits available
|
||
|
|
shortly, since they are fixed in 3.0b2. -->
|
||
|
|
|
||
|
|
* (3/29) Netscape has gotten some fixes into 3.0b2. Of my three
|
||
|
|
exploits that I reported against 2.01, only the new history
|
||
|
|
tracker continues to work (I.e., the others were fixed in response
|
||
|
|
to my report).
|
||
|
|
|
||
|
|
* (3/22) Here is a note to the www-security list I wrote describing
|
||
|
|
the latest problems I know affecting 2.01.
|
||
|
|
|
||
|
|
* (3/21) I have a means (using 2.0 or 2.01) to read and retrieve
|
||
|
|
files off a user's disk. It requires a minimal forms interaction
|
||
|
|
by the user (MEANING: the user has to click on something to invoke
|
||
|
|
the file read). I am not making this exploit available at this
|
||
|
|
time.
|
||
|
|
|
||
|
|
* (3/18) I have modified the "directory browser" exploit such that
|
||
|
|
it works with 2.01. I am not making this exploit available at
|
||
|
|
this time.
|
||
|
|
|
||
|
|
* (3/18) Building on the item I discovered on 3/15, I found that if
|
||
|
|
I click on Cancel in the Save dialog, it invokes the "stuck
|
||
|
|
onload" bug I reported on 2/21 in a determinist fashion. Trying to
|
||
|
|
create such a repeatable incarnation of this bug is what lead me
|
||
|
|
to my "tracker" in the first place.
|
||
|
|
|
||
|
|
Anyway, utilizing a Save File dialog as the initiator, this lets
|
||
|
|
me build a history tracker that works with 2.01. I've created a
|
||
|
|
sample exploit. This writes the the same log as my 2/22 tracker,
|
||
|
|
so use this to view the tail of the logfile.
|
||
|
|
|
||
|
|
Note that with 2.01, the 1x1 window previously used ends up being
|
||
|
|
bigger, so you can easily see it flash. And, the "stuck onload"
|
||
|
|
gets "unstuck" by visiting another page with an onLoad() tag. This
|
||
|
|
may not be a very intriguing way to spy on someone.
|
||
|
|
|
||
|
|
* (3/15) NOTE: This item in and of itself is not necessarily a
|
||
|
|
security problem.
|
||
|
|
|
||
|
|
JavaScript loaded from some page can write to local files on your
|
||
|
|
disk. This info is from my news posting to the devs-javascript
|
||
|
|
group. This is the basic bit of code:
|
||
|
|
|
||
|
|
document.open("Can I write to your disk?")
|
||
|
|
document.write("<censored>")
|
||
|
|
document.close()
|
||
|
|
|
||
|
|
|
||
|
|
This trick requires the user to go through a File Save dialog, and
|
||
|
|
hence, is not transparent. The user chooses the file name, but I'm
|
||
|
|
able to write to disk none-the-less. This is quite against the
|
||
|
|
stated fact that JavaScript is "Secure. Cannot write to hard disk"
|
||
|
|
- and this works in 2.01.
|
||
|
|
|
||
|
|
Try my example.
|
||
|
|
|
||
|
|
For me, this always caused a GPF on Windows NT. That is, once the
|
||
|
|
File Save dialog appeared, no matter what I selected, it went
|
||
|
|
poof! It seems to core dump the UNIX version of Navigator if you
|
||
|
|
don't open up a new window relatively fast (i.e., before you go to
|
||
|
|
some other JavaScript laden page). I've found that nasty things
|
||
|
|
begin to happen if you click on Cancel in the Save dialog (see
|
||
|
|
3/18 for details).
|
||
|
|
|
||
|
|
Note that the file never gets closed until you exit Netscape, so
|
||
|
|
small writes tend to get buffered up and not output.
|
||
|
|
|
||
|
|
These above mentioned bugs with this mechanism initially lead me
|
||
|
|
to believe that the ability to write files was errantly added to
|
||
|
|
JavaScript. Brendan Eich has since informed me that this ability
|
||
|
|
is intentional, or at least, known about.
|
||
|
|
|
||
|
|
* (2/22) I discovered a way to make my JavaScript stay resident in a
|
||
|
|
new window, so that I can track your history in real time.
|
||
|
|
|
||
|
|
This problem has been fixed in Netscape-2.01; see Netscape's
|
||
|
|
security note on Java and JavaScript.
|
||
|
|
|
||
|
|
You can read the original article I posted to the RISKS Forum on
|
||
|
|
this problem. That whole issue is also available in the archive in
|
||
|
|
the UK. Another article of interest appeared Keith Dawson's TBTF
|
||
|
|
on Feb 28.
|
||
|
|
|
||
|
|
* (2/21) I've seen JavaScript stay resident after you leave a page.
|
||
|
|
This is what I call the "stuck onload()" problem, and is a BUG
|
||
|
|
(still in 2.01).
|
||
|
|
|
||
|
|
* (2/13) The bug in Netscape 2.0b3 that allowed JavaScript to
|
||
|
|
directory browse lives on in the 2.0 release, even after
|
||
|
|
Netscape told us it was fixed.
|
||
|
|
|
||
|
|
This is fixed in Netscape-2.01.
|
||
|
|
|
||
|
|
* This is a classified as a red herring, but JavaScript has the
|
||
|
|
ability to toss up arbitrary alert boxes. I used to have this one
|
||
|
|
pop up on my home page. I wanted this message to sound really bad.
|
||
|
|
This was before I wrote the tracker. A more interesting message
|
||
|
|
would be Please type your password or something similar.
|
||
|
|
|
||
|
|
* There are hundreds of exciting things to do with Netscape 2.0 and
|
||
|
|
JavaScript.
|
||
|
|
WARNING: viewing this page may damage or crash Netscape.
|
||
|
|
|
||
|
|
|
||
|
|
_________________________________________________________________
|
||
|
|
|
||
|
|
John Robert LoVerso, OSF Research Institute
|
||
|
|
|
||
|
|
Last modified on Monday, 01-Apr-96 14:51:07 EST.
|
||
|
|
This page accessed 16247 times.
|
||
|
|
|