[linux-security] more Java/Netscape holes (fwd)
And this came in moments after my previous post:
'Jeff Uphoff wrote:'
>From firstname.lastname@example.org Wed Mar 6 12:52:09 1996
>Date: Wed, 6 Mar 1996 11:29:21 -0500
>From: Jeff Uphoff <email@example.com>
>Subject: [linux-security] more Java/Netscape holes (fwd)
>X-Mailer: VM 5.95 (beta); GNU Emacs 19.29.1
>[Forwarded to me from Ruth Milner at NRAO.]
>------- start of forwarded message (RFC 934 encapsulation) -------
>Date: Fri, 01 Mar 1996 20:25:14 -0500
>From: Jack Decker <firstname.lastname@example.org>
>If you are running Netscape 2.0 on your system, and are at all concerned
>about security or privacy, you should run, not walk to this URL:
>The World Wide Web Security FAQ
>Pay special attention to questions 69 through 71. Number 71 in particular
>preferences dialog and send it across the Internet.
>* A script that can open up a small window that continuously monitors the
>user's browsing activity, capture the URLs of open documents, and transmit
>them to a remote server.
>* A script that can obtain recursive directory listings of the user's local
>disk and any network disks that happen to be mounted. This information can
>be transmitted anywhere in the Internet.
>Netscape 2.0 contained holes that allow the user's history and cache files
>(both of which contain lists of recently-visited URLs) to be captured.
>I have not seen any information on this before today, so I suspect that
>other Netscape users might want to know about these risks!
>------- end -------
>Anyone out there looked into any of this? I know it's not Linux
>specific, but since so many novice admins are putting Linux systems up
>on the net--largely for the purpose of WWW browsing and serving--the
>potential for Linux-impacting abuse is quite large.
>The most worrying point, to me, is the third one: transmissions of
>recursive directory listing from your host to arbitrary remote
>locations. I'm wondering, since most of the world still runs Netscape
>under MS-Windows, if this hole applies just to that pseudo-OS--or if it
>applies to UNIX/Linux as well. The terminology used ("network disks")
>sounds somewhat non-UNIXish (since UNIXers usually say "network
>filesystems"), so that's why I'm wondering what the scope of the hole
>Feedback much appreciated, especially since the net, with Java and the
>like, just seems to be begging for more security problems. (As if there
>aren't already enough!)
>P.S. Everyone with any security concerns and WWW involvement should
>definitely view the above-listed URL!
Christopher J. Fearnley | UNIX SIG Leader at PACS
email@example.com | (Philadelphia Area Computer Society)
http://www.netaxs.com/~cjf | Design Science Revolutionary
ftp://ftp.netaxs.com/people/cjf | Explorer in Universe
"Dare to be Naive" -- Bucky Fuller | Linux Advocate