1995-12-05 - Tricky Netscape Security Hole

Header Data

From: drozone@winternet.com (Thaddeus Ozone) (by way of carolann@censored.org (Censored Girls Anonymous))
To: cypherpunks@toad.com
Message Hash: 40195451de3b8aa006bca9667184505d24b80fb3e6659cbe30110df053558779
Message ID: <199512050729.AAA28538@mailhost1.primenet.com>
Reply To: N/A
UTC Datetime: 1995-12-05 07:27:59 UTC
Raw Date: Mon, 4 Dec 95 23:27:59 PST

Raw message

From: drozone@winternet.com (Thaddeus Ozone) (by way of carolann@censored.org (Censored Girls Anonymous))
Date: Mon, 4 Dec 95 23:27:59 PST
To: cypherpunks@toad.com
Subject: Tricky Netscape Security Hole
Message-ID: <199512050729.AAA28538@mailhost1.primenet.com>
MIME-Version: 1.0
Content-Type: text/plain


Yes it's full of headers, but it's the complete, unexpurgated version.
If this theory is correct, this IS FAR WORSE THAN A 40 bit key.

I saw the livescript on the source code.
I use 1.22 for image stability right now, though.

Yes it's a came from, a came from, a came from kinda deal,
but in the interest of security brevity it "seems real enough" to me.

Love Always,

Carol Anne

>Posted-Date: Mon, 4 Dec 1995 12:57:21 -0600
>X-Sender: jeff@cyborganic.com
>Mime-Version: 1.0
>Date: Mon, 4 Dec 1995 10:51:56 -0700
>To: cybernauts-l@netcom.com
>From: foodie@netcom.com (We're a Comglomerate) (by way of jeff@cyborganic.com
> (Jeffrey Logsdon))
>Subject: Tricky Netscape Security Hole
>
>Anybody else see this happening?
>
>Eternal Vigilance, and all that.
>
>- ------- Start of forwarded message -------
>>From: Scott Weston <scott@tripleg.com.au>
>>Subject: Netscape 2.0b2 allows for invasion of privacy
>>Newsgroups: aus.net.announce,comp.privacy
>>Date: Fri, 01 Dec 1995 11:09:06 +1100
>
>Hi 'Net Dwellers,
>
>First off - I've posted this before (however not to this group) and only
>got a response from the Netscape Corp.  They were glad I found the
>problem and said that they would fix it, however I feel that people
>should know about it.  Also I would like people to help me spread this
>document around, i.e. if you know of a newsgroup (or people) that would
>find this interesting then please re-postit.
>
>On with the problem...
>
>I've recently got hold of the latest netscape, and was (at first) very
>excited about the new "LiveScripts" that it supports.  If people don't
>yet know - these "LiveScripts" allow you to put small programs into your
>web page that is then executed by the Netscape client.  There is no
>DIRECT way for these programs to send information back to the owner of
>the web page, however I was able to do it in a not-so-direct way.
>
>The "LiveScript" that I wrote extracts ALL the history of the current
>netscape window.  By history I mean ALL the pages that you have visited
>to get to my page, it then generates a string of these and forces the
>Netscape client to load a URL that is a CGI script with the QUERY_STRING
>set to the users History.  The CGI script then adds this information
>to a log file.  Now if this hasn't quite CLICKED yet lets do a little
>example.
>
>Johnny Mnemonic starts up his newly acquired version of Netscape2.0b2
>to start his daily "surf" session.  First he decides to check his CD-NOW
>purchase and uses the handy Auto-Login URL.  Then he decides to go to
>Lycos and do a search.  In his search he find my page, which he decides
>to visit.  Suddenly he is transported, not to my main page but to one
>of my CGI scripts, which in turn happens to have ALL the URL's he just
>been to in it.  This means that in my log will be:
>
>  - the URL to use to get into CD-NOW as Johnny Mnemonic, including
>    username and password.
>  - The exact search params he used on Lycos (i.e. exactly what he
>    searched for)
>  - plus any other places he happened to visit.
>
>I do this in a way that the user will KNOW that it has happened and
>will _hopefully_ email Netscape and tell them they are NOT impressed.
>But it would be EASY for me to change the CGI script so that the user
>is unaware that it has actually happened, unless they closely examine
>their URL history (in fact they'll probably just think its a netscape
>bug).
>
>
>If you're skeptical about this then do the test yourself.  Get netscape
>2.0b2 and do some normal surfing, and then go to Lycos.  Do a search for:
>
>  scotts car boot sale
>
>which should return the URL - http://www.tripleg.com.au/staff/scott
>
>Click on the URL and sit back an watch.  First my main page will show up
>but a little while later you should be transported to a CGI bin script
>that will show you your URL history.
>
>I have tested this with both the Linux 2.0b2, and Solaris 2.0b2 versions
>and both have done the same thing.  I would be interested in knowing if
>it happens for ALL versions of Netscape2.0b2.  The log file does log
>the User Agent (i.e. the name of the platform you are using) so by simply
>going to the page I will know that your version of Netscape is also
>open to this form of attack.
>
>Currently I can find no way to configure Netscape2.0b2 to NOT run
>LiveScripts - and at the very least this option should be quickly
>added to the next version of netscape to be released.  But a far
>better solution (IMHO) would be for netscape to pop up a window before
>running the LiveScript and let you know what the LiveScript wants access
>to, e.g. if it only wants to print out the current time then that's
>OK, but if it wants to read my history list and then transport me to
>a CGI script and add me to a logfile then maybe I would say NO.
>
>I think I've said enough....
>
>If you've got any further questions, or want some more information just
>email me : scott@tripleg.com.au
>
>- --
>Scott.
>
>Quote from a car accident insurance claim: "I told the police that I was
>not injured, but on removing my hat, I found that I had a skull fracture."
>- ------- End of forwarded message -------
>
>
>------------------------------

------------------------------------------------------------
Thaddeus "Doc" Ozone    <http://www.winternet.com/~drozone/>
          "Specialization is for insects."   -RAH
  "I yam what I yam and that's all what I yam!"   -Popeye








Thread