[linux-security] more Java/Netscape holes (fwd)
And this came in moments after my previous post:
'Jeff Uphoff wrote:'
>From owner-linux-security@tarsier.cv.nrao.edu Wed Mar 6 12:52:09 1996
>Date: Wed, 6 Mar 1996 11:29:21 -0500
>Message-Id: <199603061629.LAA28076@tarsier.cv.nrao.edu>
>From: Jeff Uphoff <juphoff@tarsier.cv.nrao.edu>
>To: linux-security@tarsier.cv.nrao.edu
>Subject: [linux-security] more Java/Netscape holes (fwd)
>X-Palindrome: Racecar.
>X-Mailer: VM 5.95 (beta); GNU Emacs 19.29.1
>X-Attribution: Up
>Sender: owner-linux-security@tarsier.cv.nrao.edu
>Precedence: list
>
>[Forwarded to me from Ruth Milner at NRAO.]
>
>------- start of forwarded message (RFC 934 encapsulation) -------
>Date: Fri, 01 Mar 1996 20:25:14 -0500
>From: Jack Decker <jack@novagate.com>
>Subject: Java/JavaScript security breaches
>
>If you are running Netscape 2.0 on your system, and are at all concerned
>about security or privacy, you should run, not walk to this URL:
>
>http://www-genome.wi.mit.edu/WWW/faqs/www-security-faq.html
>The World Wide Web Security FAQ
>
>Pay special attention to questions 69 through 71. Number 71 in particular
>discusses:
>
>* How a JavaScript page could grab a user's e-mail address from Netscape's
>preferences dialog and send it across the Internet.
>
>* A script that can open up a small window that continuously monitors the
>user's browsing activity, capture the URLs of open documents, and transmit
>them to a remote server.
>
>* A script that can obtain recursive directory listings of the user's local
>disk and any network disks that happen to be mounted. This information can
>be transmitted anywhere in the Internet.
>
>* How the version of JavaScript that was included with beta versions of
>Netscape 2.0 contained holes that allow the user's history and cache files
>(both of which contain lists of recently-visited URLs) to be captured.
>
>I have not seen any information on this before today, so I suspect that
>other Netscape users might want to know about these risks!
>------- end -------
>
>Anyone out there looked into any of this? I know it's not Linux
>specific, but since so many novice admins are putting Linux systems up
>on the net--largely for the purpose of WWW browsing and serving--the
>potential for Linux-impacting abuse is quite large.
>
>The most worrying point, to me, is the third one: transmissions of
>recursive directory listing from your host to arbitrary remote
>locations. I'm wondering, since most of the world still runs Netscape
>under MS-Windows, if this hole applies just to that pseudo-OS--or if it
>applies to UNIX/Linux as well. The terminology used ("network disks")
>sounds somewhat non-UNIXish (since UNIXers usually say "network
>filesystems"), so that's why I'm wondering what the scope of the hole
>is....
>
>Feedback much appreciated, especially since the net, with Java and the
>like, just seems to be begging for more security problems. (As if there
>aren't already enough!)
>
>--Up.
>
>P.S. Everyone with any security concerns and WWW involvement should
>definitely view the above-listed URL!
>
--
Christopher J. Fearnley | UNIX SIG Leader at PACS
cjf@netaxs.com | (Philadelphia Area Computer Society)
http://www.netaxs.com/~cjf | Design Science Revolutionary
ftp://ftp.netaxs.com/people/cjf | Explorer in Universe
"Dare to be Naive" -- Bucky Fuller | Linux Advocate
Reply to: