Date: Fri, 22 Mar 96 11:25:40 -0500 From: John Robert LoVerso <loverso@schooner.com> To: www-security@ns2.rutgers.edu Subject: Netscape 2.01 & JavaScript Message-id: <199603221625.LAA17248@postman.osf.org>Last Saturday I wrote:
> > or if there is still a "privacy vulnerability" in Navigator 2.01. > Not to my knowledge.I have since produced examples of three exploits of JavaScript that work with 2.01 (as long as JavaScript is enabled):
1. History tracking
An example exploit of this is available at my URL.
I have not yet made an example of this exploit available to anyone outside of Netscape.
Basically, I found a way to set the filename in a in a file element of a form from JavaScript. The example is short and unfortunately straightforward. This approach requires a user to press a form button to trigger the file upload. However, this could be any button on any form, without any indication that it was for a file upload. That is, this could be the "Search" button at Alta Vista, or the "Get Another Fortune" at my own quote collection page. Further, this approach could be used to upload a different file from the one user selected, without the user knowing that this has happened.
This is simply an abuse of the HTTP file upload facility, something that was forseen by several people.
I have not yet made an example of this exploit available to anyone outside of Netscape.
My examples, when available, are at http://www.schooner.com/~loverso/javascript/.
My understanding from Netscape is that these problems will be fixed in an early beta of 3.0, due in a month (or so). Further, I think they will be putting a confirmation dialog on form postings that includes instances of mailto: and file upload.
Note that users of 2.01 can simply disable JavaScript to avoid these problems.
John Robert LoVerso