[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Security holes in JavaScript/Netscape 2.0 (fwd)

In case you haven't heard about how people are reacting to the security 
issues, here is some recent information.

David F. Andrade			University of Washington

---------- Forwarded message ----------
Date: Fri, 1 Mar 1996 15:07:16 +0100
Subject: UPDATE: Security holes in JavaScript/Netscape 2.0
From: Lincoln Stein <lstein@kaa.crbm.cnrs-mop.fr>
To: www-security@ns2.rutgers.edu
Cc: www-managers@lists.stanford.edu, Eric Hammond <eric.hammond@sdrc.com>,
    Malcolm Humes <mhumes@tenetwork.com>, Jeff Weinstein <jsw@netscape.com>,
    loverso@osf.org, lstein@pico.crbm.cnrs-mop.fr

There's been some confusion regarding what security problems do and
don't exist in the version of JavaScript distributed with Netscape
2.0, and unfortunately the WWW Security FAQ was not entirely clear
(because I wasn't entirely clear...).  Some of these holes were
present only in beta versions of Netscape.  Others are still with us.

Here's the current list of security holes and their status:

1) Read user's history -- fixed in 2.0
2) Read user's URL cache --   fixed in 2.0
3) Forge e-mail/steal e-mail address - STILL PRESENT IN 2.0
4) Recursively list local disks - STILL PRESENT IN 2.0
5) Open 1 pixel window and log all URL accesses - STILL PRESENT IN 2.0

I am enclosing the current draft of this section of the FAQ for user
comment.  Please let me know of any inaccuracies you find in this
section.  Thank you all for your input.

Lincoln Stein

Q71: Are there any known security holes in JavaScript?

There is reason to be concerned about JavaScript, an integral part of
Netscape Navigator 2.0. It allows many types of private information to be
included in data submitted to remote sites by fill-out forms, without the
consent, or even the knowledge of the user. For example, a recently
published script showed how a JavaScript page could grab a user's e-mail
address from Netscape's preferences dialog and send it across the Internet.

John Robert LoVerso (loverso@osf.org) has discovered another bug in
JavaScript. A script can open up a small window that continuously monitors
the user's browsing activity, capture the URLs of open documents, and
transmit them to a remote server. A demonstration is available at:


To defeat this type of attack, you must be on the lookout for scripts that
pop up new windows that don't seem to be doing anything. Close them
immediately. Note that the windows may be quite small: a 1x1 pixel window
may be almost invisible.

It is also possible for JavaScript to obtain recursive directory listings of
the user's local disk and any network disks that happen to be mounted. This
information can be transmitted anywhere in the Internet. See


for a demonstration.

If you happen to be using any beta version of Netscape 2.0, stop
immediately. Beta implementations of JavaScript contained further holes that
allow the user's history and cache files (both of which contain lists of
recently-visited URLs) to be captured. See


for more details.

In short, there are several known security holes in JavaScript and there may
be more lurking. The safest course at this point is to use Netscape 1.1 or
another vendor's browser. Turning off Java in the Security Preferences
dialog box has no effect on JavaScript. However, Netscape has indicated that
it may provide an "off" button in Netscape 2.1.

This message came from the mailing list javascript. For help using the
mailing list software, please send a message to 'majordomo@obscure.org'
with the message body 'help'. To unsubscribe, send a message to
'majordomo@obscure.org' with the message body 'unsubscribe javascript'.