[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]


Michael Schmitz wrote:
> Stefan Keller (cip230@cip.physik.uni-wuerzburg.de) wrote:
> : (java != javascript)
> : Is this the Java_Applet_Security_Manager Patch?
> : Then I am unsure it'll help against the Javascript problem.
> : 'Disable Java' will IMHO not fix the Javascript email harvesting bug.
> You're right - the JavaScript bug(s) are still alive and at work.
> And because you can inline code in event handler calls, it will be
> necessary to get the 'RSN' fix from Netscape that lets you disable JavaScript
> completely.
>         Michael Schmitz

There is a patch called "democha" which addresses the JS vulnerabilities 
available from


(it's a perl script written by Larry Schwimmer of Stanford University
simply disables at least main parts of the javascript interpreter).

+--------------- BEGIN INCLUDED Democha Shell Script ----------------
 | #! /bin/sh
 | # @(#) democha version 1.4 7 March 1996 las
 | # democha: disable JavaScript in netscape2.0
 | # Usage: democha [netscape_binary]
 | perl -i.orig -pe '
 |      s/\0script\0/\0\0\0\0\0\0\0\0/g;
 |      s/\ca\&script\ca\&/\ca\&\0\0\0\0\0\0\ca\&/g;
 |      s/(javascript|livescript|mocha):/" " x length($1) . ":"/e;
 |      s/(x-javascript\0.*applets\0)/"\0" x length($1)/e;
 |      s/(\0onsubmit\0.*\0onunload\0)/"\0" x length($1)/e;
 |      s/(\0onunload\0.*\0applets\0)/"\0" x length($1)/e;
 |      if (($a,$b,$c) = /(.*x-javascript\cb)(.*)(\#.*)/) {
 |          $b =~ tr/a-zA-Z/ /;
 |          $_ = "$a$b$c\n";
 |      }
 |      ' "${1-netscape}"
 +--------------- END INCLUDED Democha Shell Script -----------------

I have not checked this workaround until now. Quoting a message form
NASIRC (the NASA emergency team):

        The current version of the script has been tested with Netscape
        2.0 for several variants of UNIX, Macintosh, and Windows
        For PC and Macintosh platforms users can copy the Netscape
        file to a UNIX machine with Perl, run the script against the
        binary, and return the binary to the PC. This script is not
        guaranteed to disable all JavaScript functionality.  It has
        worked with several JavaScript exploit pages that were available
        at the time.  It may have the side-effect of crashing the
        when some JavaScript pages are accessed.

Hope that helps!

Friedhelm ries@prz.tu-berlin.de http://colos-www.prz.tu-berlin.de/~ries/
For help about the list, please send a message to 'majordomo@obscure.org'
with the message body 'help'. To unsubscribe, send a message to
'majordomo@obscure.org' with the message body 'unsubscribe javascript'.
List archives and pointer to FAQ: http://www.obscure.org/javascript/