[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: NETSCAPE2.0 PATCH FOR JAVASCRIPT VULNERABILITY



There is a patch called "democha" which addresses the JS vulnerabilities 
available from

	ftp://nasirc.nasa.gov/patches/Netscape/democha.sh

(it's a perl script written by Larry Schwimmer of Stanford University
which
simply disables at least main parts of the javascript interpreter).

+--------------- BEGIN INCLUDED Democha Shell Script ----------------
 | #! /bin/sh
 | # @(#) democha version 1.4 7 March 1996 las
 | # democha: disable JavaScript in netscape2.0
 | # Usage: democha [netscape_binary]
 |
 | perl -i.orig -pe '
 |      s/\0script\0/\0\0\0\0\0\0\0\0/g;
 |      s/\ca\&script\ca\&/\ca\&\0\0\0\0\0\0\ca\&/g;
 |      s/(javascript|livescript|mocha):/" " x length($1) . ":"/e;
 |      s/(x-javascript\0.*applets\0)/"\0" x length($1)/e;
 |      s/(\0onsubmit\0.*\0onunload\0)/"\0" x length($1)/e;
 |      s/(\0onunload\0.*\0applets\0)/"\0" x length($1)/e;
 |      if (($a,$b,$c) = /(.*x-javascript\cb)(.*)(\#.*)/) {
 |          $b =~ tr/a-zA-Z/ /;
 |          $_ = "$a$b$c\n";
 |      }
 |      ' "${1-netscape}"
 |
 +--------------- END INCLUDED Democha Shell Script -----------------

I have not checked this workaround until now. Quoting a message form
NASIRC (the NASA emergency team):

        The current version of the script has been tested with Netscape
        2.0 for several variants of UNIX, Macintosh, and Windows
(32bit).
        For PC and Macintosh platforms users can copy the Netscape
binary
        file to a UNIX machine with Perl, run the script against the
        binary, and return the binary to the PC. This script is not
        guaranteed to disable all JavaScript functionality.  It has
        worked with several JavaScript exploit pages that were available
        at the time.  It may have the side-effect of crashing the
browser
        when some JavaScript pages are accessed.

Hope that helps!

Friedhelm
-- 
Friedhelm ries@prz.tu-berlin.de http://colos-www.prz.tu-berlin.de/~ries/
*-----------------------------------------------------------------------
--------------------------------------------------------------------
For help about the list, please send a message to 'majordomo@obscure.org'
with the message body 'help'. To unsubscribe, send a message to
'majordomo@obscure.org' with the message body 'unsubscribe javascript'.
List archives and pointer to FAQ: http://www.obscure.org/javascript/


--------------------------------------------------------------------
For help about the list, please send a message to 'majordomo@obscure.org'
with the message body 'help'. To unsubscribe, send a message to
'majordomo@obscure.org' with the message body 'unsubscribe javascript'.
List archives and pointer to FAQ: http://www.obscure.org/javascript/