From: loverso@osf.org (John Robert LoVerso)
Newsgroups: comp.lang.javascript
Subject: Serious Security Bug
Date: 21 Feb 1996 16:35:17 GMT
Organization: OSF Research Institute, Cambridge MA
Message-ID: <4gfhk5$m8i@paperboy.osf.org>

I just accidently did something that has horrible and rather damaging
consequences.


I have a page that has onload="foo()", where foo() executes an alert() and
a history.back().  When one user here visited the href, they got a surprising
effect: my onload and JavaScript function has gotten "stuck" and is being
executed for every page they access, including things like "about:".  

I've now caused this several times, with 2.0 running on HP-UX and on Solaris.
I cannot quite reproduce it at will, but I do have a strong suspicion that
it is a combination of a busy browser and an alert popup that puts the browser
in this state.  This reopens the "copy user's history bug", but with the
added consequence that I can write code that snoops on you once you've
visited my page.

Let me state that again. concisely:

        I have seen a case where JavaScript imported from one page is
	being executed by the Navigator for EVERY subsequent page it
	renders.

The result is no security in JavaScript.


BTW, there is no magic involved in this.  Just a serious bug in 2.0.
See my home page [http://www.osf.org/~loverso/]

John LoVerso
OSF Research Institute