[linux-security] more Java/Netscape holes (fwd)

To: debian-user@Pixar.com
Cc: lenp@nothinbut.net (Len Pikulski), runexe@ntplx.net
Subject: [linux-security] more Java/Netscape holes (fwd)
From: Chris Fearnley <cjf@netaxs.com>
Date: Wed, 6 Mar 1996 13:19:45 -0500 (EST)
Message-id: <[🔎] 199603061819.NAA27940@access.netaxs.com>

And this came in moments after my previous post:

'Jeff Uphoff wrote:'
>From owner-linux-security@tarsier.cv.nrao.edu  Wed Mar  6 12:52:09 1996
>Date: Wed, 6 Mar 1996 11:29:21 -0500
>Message-Id: <199603061629.LAA28076@tarsier.cv.nrao.edu>
>From: Jeff Uphoff <juphoff@tarsier.cv.nrao.edu>
>To: linux-security@tarsier.cv.nrao.edu
>Subject: [linux-security] more Java/Netscape holes (fwd)
>X-Palindrome: Racecar.
>X-Mailer: VM 5.95 (beta); GNU Emacs 19.29.1
>X-Attribution: Up
>Sender: owner-linux-security@tarsier.cv.nrao.edu
>Precedence: list
>
>[Forwarded to me from Ruth Milner at NRAO.]
>
>------- start of forwarded message (RFC 934 encapsulation) -------
>Date: Fri, 01 Mar 1996 20:25:14 -0500
>From: Jack Decker <jack@novagate.com>
>Subject: Java/JavaScript security breaches
> 
>If you are running Netscape 2.0 on your system, and are at all concerned
>about security or privacy, you should run, not walk to this URL:
> 
>http://www-genome.wi.mit.edu/WWW/faqs/www-security-faq.html
>The World Wide Web Security FAQ
> 
>Pay special attention to questions 69 through 71.  Number 71 in particular
>discusses:
> 
>* How a JavaScript page could grab a user's e-mail address from Netscape's
>preferences dialog and send it across the Internet.
> 
>* A script that can open up a small window that continuously monitors the
>user's browsing activity, capture the URLs of open documents, and transmit
>them to a remote server.
> 
>* A script that can obtain recursive directory listings of the user's local
>disk and any network disks that happen to be mounted. This information can
>be transmitted anywhere in the Internet.
> 
>* How the version of JavaScript that was included with beta versions of
>Netscape 2.0 contained holes that allow the user's history and cache files
>(both of which contain lists of recently-visited URLs) to be captured.
> 
>I have not seen any information on this before today, so I suspect that
>other Netscape users might want to know about these risks!
>------- end -------
>
>Anyone out there looked into any of this?  I know it's not Linux
>specific, but since so many novice admins are putting Linux systems up
>on the net--largely for the purpose of WWW browsing and serving--the
>potential for Linux-impacting abuse is quite large.
>
>The most worrying point, to me, is the third one: transmissions of
>recursive directory listing from your host to arbitrary remote
>locations.  I'm wondering, since most of the world still runs Netscape
>under MS-Windows, if this hole applies just to that pseudo-OS--or if it
>applies to UNIX/Linux as well.  The terminology used ("network disks")
>sounds somewhat non-UNIXish (since UNIXers usually say "network
>filesystems"), so that's why I'm wondering what the scope of the hole
>is....
>
>Feedback much appreciated, especially since the net, with Java and the
>like, just seems to be begging for more security problems.  (As if there
>aren't already enough!)
>
>--Up.
>
>P.S. Everyone with any security concerns and WWW involvement should
>definitely view the above-listed URL!
>


-- 
Christopher J. Fearnley            |    UNIX SIG Leader at PACS
cjf@netaxs.com                     |    (Philadelphia Area Computer Society)
http://www.netaxs.com/~cjf         |    Design Science Revolutionary
ftp://ftp.netaxs.com/people/cjf    |    Explorer in Universe
"Dare to be Naive" -- Bucky Fuller |    Linux Advocate

Reply to:

Prev by Date: [linux-security] Java security bug (applets can load native methods) (fwd)
Next by Date: Rxvt and resources
Previous by thread: [linux-security] Java security bug (applets can load native methods) (fwd)
Next by thread: Rxvt and resources
Index(es):
- Date
- Thread