Re: javascript Security... the official word

[Frank Hecker <hecker@netscape.com>]

paz wrote:
> oooh! creepy!  here's the official word:
> 
> "THE WORLD WIDE WEB SECURITY FAQ (Version 1.2.0, February 28 1996)"
> by Lincoln D. Stein <lstein@genome.wi.mit.edu>

Well, this is not "the official word" in the sense of being an official 
Netscape document.  There are people at Netscape working on these 
problems as I write, and I expect some sort of official Netscape 
response soon.

> In addition, it should be possible to exploit the same holes to grab
> the user's list of subscribed newsgroups and to obtain the contents of
> local disk files.
> 
> Not only is this intrusive, but it represents a systemwide security
> breach. If sensitive system documents (such as password files) can be
> stolen, then the entire local area network becomes vulnerable to break
> ins.

This is not correct according to Brendan Eich of Netscape (main 
JavaScript developer).  The problem allows file names to be obtained, 
not file contents.  Mr. Stein has apparently corrected the FAQ to 
reflect this; see the later message to the list from David Andrade.

Frank

-- 
Frank Hecker          Pre-sales tech support, Netscape Federal sales
hecker@netscape.com   http://home.netscape.com/people/hecker/

--------------------------------------------------------------------
This message came from the mailing list javascript. For help using the
mailing list software, please send a message to 'majordomo@obscure.org'
with the message body 'help'. To unsubscribe, send a message to
'majordomo@obscure.org' with the message body 'unsubscribe javascript'.