[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Security holes in JavaScript/Netscape 2.0 (fwd)



I've visited this page before, but the buttons have never done anything more
than create a new window, at most writing 'directory listing of' at the top.

I'm runnning Win95, anyone else get no response on this page?

Andy

At 05:25 PM 3/1/96 -0800, Brian Karlak wrote:
>I was just checking out some of the JavaScript security issues raised recently,
>and it seems to me something even more evil than merely getting the directory
>hierarchy of a client's machine can be performed.  The script at
>http://www.c2.org/~aelana/javascript.html will not only tell me WHAT files are
>on my machine.  It will print their contents, too - at least in the
>stealWindow. This includes files like /etc/passwd, /etc/exports, etc.
>
>Now I don't fully understand John's script yet, so is there something I'm
>missing here?  Admittedly, I haven't tried setting up things myself and
>actually transferring the files back to my server, but what is it exactly that
>allows the transfer of the directory information placed in the stealWindow back
>to the server and yet not transfer actual file contents?
>
>Brian
>
>-- 
>  d a t a b a s e s    a r e   i n   o u r  g e n e s
>  ----------------------------------------------------
>  Brian Karlak   bkarlak@panbio.com  (510) 337-7910 ph
>  Manager, SciApps Group             (510) 522-9394 fx
>  ----------------------------------------------------
>  P  A  N  G  E  A     S  Y  S  T  E  M  S     I  N  C
>--------------------------------------------------------------------
>This message came from the mailing list javascript. For help using the
>mailing list software, please send a message to 'majordomo@obscure.org'
>with the message body 'help'. To unsubscribe, send a message to
>'majordomo@obscure.org' with the message body 'unsubscribe javascript'.
>
>

--------------------------------------------------------------------
For help about the list, please send a message to 'majordomo@obscure.org'
with the message body 'help'. To unsubscribe, send a message to
'majordomo@obscure.org' with the message body 'unsubscribe javascript'.
List archives and pointer to FAQ: http://www.obscure.org/javascript/