Re: BIG NetScape Bug!!!!!!!!!!!!!!!!1 (fwd)
Yes, that is true. This is precisely why this is not such a big deal for us, although it may be for people running Windows... Jim Michael [EMAIL PROTECTED] writes: On 19 Jun 1997, John Goerzen wrote: Let's not over-react, please. This bug *only* allows people to see files that the user running Netscape has access to, and *only* if it already knows the names of these files. On a Debian 1.3 machine, which uses shadow passwords, essentially the only thing that would be of use for people would be files in your home directory. And since there are no predictable patterns for these files, it would be difficult to construct a web page that would cause serious harm. NT and Win95 users are at risk since the OS is typically loaded into the default directories and files such as those containing passwords are susceptible to being accessed. Recommendation from NS is to turn off Java Script and set the warn of sending secure data option until the patched versions are released. Cheers, Jim -- John Goerzen | Running Debian GNU/Linux (www.debian.org) Custom Programming| [EMAIL PROTECTED] | -- TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word unsubscribe to [EMAIL PROTECTED] . Trouble? e-mail to [EMAIL PROTECTED] .
Re: BIG NetScape Bug!!!!!!!!!!!!!!!!1 (fwd)
And once Communicator for Linux is officially released, we won't have to worry about it any more. And exactly how is the release of Communitcator going to fix the systems running 3.01? George Bonser [EMAIL PROTECTED], [EMAIL PROTECTED] -- TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word unsubscribe to [EMAIL PROTECTED] . Trouble? e-mail to [EMAIL PROTECTED] .
Re: BIG NetScape Bug!!!!!!!!!!!!!!!!1 (fwd)
George Bonser wrote: And once Communicator for Linux is officially released, we won't have to worry about it any more. And exactly how is the release of Communitcator going to fix the systems running 3.01? Getting out of Netscape Employee Suite From what I understand of this bug, it is not as trivial to exploit this as the mags (and the Security Update in the Netscape homepage) have made it out to be. I not trying to say that the bug itself is trivial. Neither am I saying that people should start moving up to communicator. I am just saying that one should always keep one's (form and cookie) alerts on. By doing this the risks are, IMHO, far lesser. Sudhakar PS: These are my opinions and my opinions alone. -- If something goes wrong...blame the guy who can't speak English. -- Homer Simpson Sudhakar Chandrasekharan(415) 937-2354 (O) International Web Engineer Type of Guy (415) 940-1896 (H) http://home.netscape.com/people/thaths/ smime.p7s Description: S/MIME Cryptographic Signature
Re: BIG NetScape Bug!!!!!!!!!!!!!!!!1 (fwd)
George Bonser [EMAIL PROTECTED] writes: And once Communicator for Linux is officially released, we won't have to worry about it any more. And exactly how is the release of Communitcator going to fix the systems running 3.01? There's this thing called an Upgrade, you know -- John Goerzen | Running Debian GNU/Linux (www.debian.org) Custom Programming| [EMAIL PROTECTED] | -- TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word unsubscribe to [EMAIL PROTECTED] . Trouble? e-mail to [EMAIL PROTECTED] .
Re: BIG NetScape Bug!!!!!!!!!!!!!!!!1 (fwd)
Let's not over-react, please. This bug *only* allows people to see files that the user running Netscape has access to, and *only* if it already knows the names of these files. On a Debian 1.3 machine, which uses shadow passwords, essentially the only thing that would be of use for people would be files in your home directory. And since there are no predictable patterns for these files, it would be difficult to construct a web page that would cause serious harm. George Bonser [EMAIL PROTECTED] writes: Better take this SERIOUSLY folks, it is a VERY big bug ... major security hole. It allows a server to see EVERYTHING on the client filesystem. George Bonser [EMAIL PROTECTED], [EMAIL PROTECTED] -- Forwarded message -- Date: Thu, 12 Jun 1997 21:06:45 -0500 From: Francisco Benavides [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: BIG NetScape Bug1 Hi, A HUGE flaw was uncovered in the new NetScape, for more details: http://cnnfn.com/digitaljam/9706/12/netscape_pkg/ Bye/Francisco :) -- TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word unsubscribe to [EMAIL PROTECTED] . Trouble? e-mail to [EMAIL PROTECTED] . -- John Goerzen | Running Debian GNU/Linux (www.debian.org) Custom Programming| [EMAIL PROTECTED] | -- TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word unsubscribe to [EMAIL PROTECTED] . Trouble? e-mail to [EMAIL PROTECTED] .
Re: BIG NetScape Bug!!!!!!!!!!!!!!!!1 (fwd)
My concern was for someone running Netscape as root. Also, systems earlier than 1.3 are not likely to have shadow installed but I know that some might. And thirdly, since the linux versions that have been released are unsupported, it is possible that there will not be patched releases of the earlier versions. This concenrs me if the exploit is made public after the patched release of the supported versions. George Bonser [EMAIL PROTECTED], [EMAIL PROTECTED] -- TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word unsubscribe to [EMAIL PROTECTED] . Trouble? e-mail to [EMAIL PROTECTED] .
Re: BIG NetScape Bug!!!!!!!!!!!!!!!!1 (fwd)
On Thu, 19 Jun 1997, George Bonser wrote: My concern was for someone running Netscape as root. Well, I assumed this was common sense, but people shouldnt really be using netscape as root (at least not to surf the web). Just off the top of my head, I cant think of any reason one would *need* to. Maybe I overlooked some use? Root should really only be used to do specific administration tasks. Unprivilaged users should be used for day to day stuff. Erv -- PGP Public Key: finger [EMAIL PROTECTED] PGP Fingerprint: A5 AB 25 7D 7A FD 4D FE BE 21 47 60 0C DC 67 9E ==-- _ / / \ ---==---(_)__ __ __/ / /\ \ - [EMAIL PROTECTED] --==---/ / _ \/ // /\ \/ / / /_/\ \ \- [EMAIL PROTECTED] -=/_/_//_/\_,_/ /_/\_\ /__\ \ \ - [EMAIL PROTECTED] \_\/ pgpZxsCbIfQYJ.pgp Description: PGP signature
Re: BIG NetScape Bug!!!!!!!!!!!!!!!!1 (fwd)
Well, I assumed this was common sense, but people shouldnt really be using netscape as root (at least not to surf the web). Just off the top of my head, I cant think of any reason one would *need* to. Maybe I overlooked some use? Root should really only be used to do specific administration tasks. Unprivilaged users should be used for day to day stuff. Absolutely correct but I see a lot of newbies using root. George Bonser [EMAIL PROTECTED], [EMAIL PROTECTED] -- TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word unsubscribe to [EMAIL PROTECTED] . Trouble? e-mail to [EMAIL PROTECTED] .
Re: BIG NetScape Bug!!!!!!!!!!!!!!!!1 (fwd)
Well, I assumed this was common sense, but people shouldnt really be using netscape as root (at least not to surf the web). Just off the top of my head, I cant think of any reason one would *need* to. Maybe I overlooked some use? I use a browser as root to check whats happening with my router, using mrtg (which isn't a debian package). But I'm **very** careful! Root should really only be used to do specific administration tasks. Unprivilaged users should be used for day to day stuff. There's not much you can't do with groups and permissions set right. John Foster -- TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word unsubscribe to [EMAIL PROTECTED] . Trouble? e-mail to [EMAIL PROTECTED] .
Re: BIG NetScape Bug!!!!!!!!!!!!!!!!1 (fwd)
On 19 Jun 1997, John Goerzen wrote: Let's not over-react, please. This bug *only* allows people to see files that the user running Netscape has access to, and *only* if it already knows the names of these files. On a Debian 1.3 machine, which uses shadow passwords, essentially the only thing that would be of use for people would be files in your home directory. And since there are no predictable patterns for these files, it would be difficult to construct a web page that would cause serious harm. NT and Win95 users are at risk since the OS is typically loaded into the default directories and files such as those containing passwords are susceptible to being accessed. Recommendation from NS is to turn off Java Script and set the warn of sending secure data option until the patched versions are released. Cheers, Jim -- TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word unsubscribe to [EMAIL PROTECTED] . Trouble? e-mail to [EMAIL PROTECTED] .
Re: BIG NetScape Bug!!!!!!!!!!!!!!!!1 (fwd)
On Fri, 20 Jun 1997, John Foster wrote: Well, I assumed this was common sense, but people shouldnt really be using netscape as root (at least not to surf the web). Just off the top of my head, I cant think of any reason one would *need* to. Maybe I overlooked some use? I use a browser as root to check whats happening with my router, using mrtg (which isn't a debian package). But I'm **very** careful! I agree that this is extremely impoartant use (along with other administration uses where you are talking to admin cgi's, manpages, dwww? or others). In these cases, you are (theoretically) completely safe as long as you trust the program you are talking to with netscape. Just dont take a break from work and check a couple of your favorite web pages :) Erv -- PGP Public Key: finger [EMAIL PROTECTED] PGP Fingerprint: A5 AB 25 7D 7A FD 4D FE BE 21 47 60 0C DC 67 9E ==-- _ / / \ ---==---(_)__ __ __/ / /\ \ - [EMAIL PROTECTED] --==---/ / _ \/ // /\ \/ / / /_/\ \ \- [EMAIL PROTECTED] -=/_/_//_/\_,_/ /_/\_\ /__\ \ \ - [EMAIL PROTECTED] \_\/ pgpXsXp6CgHUZ.pgp Description: PGP signature
Re: BIG NetScape Bug!!!!!!!!!!!!!!!!1 (fwd)
already knows the names of these files. On a Debian 1.3 machine, which uses shadow passwords, essentially the only thing that would be of use for people would be files in your home directory. And since there are no predictable patterns for these files, it would be difficult to construct a web page that would cause serious harm. what about .login or .cshrc? these seem like prime candidates for mischief? rick -- TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word unsubscribe to [EMAIL PROTECTED] . Trouble? e-mail to [EMAIL PROTECTED] .
Re: BIG NetScape Bug!!!!!!!!!!!!!!!!1 (fwd)
Rick Hawkins wrote: already knows the names of these files. On a Debian 1.3 machine, which uses shadow passwords, essentially the only thing that would be of use for people would be files in your home directory. And since there are no predictable patterns for these files, it would be difficult to construct a web page that would cause serious harm. what about .login or .cshrc? these seem like prime candidates for mischief? How about ~/.ssh/identity? Of course security minded people will require a password to decrypt their personal ssh identity... And as far as ssh falling back to .rhosts or rlogin, sshd can be (and should be IMHO) configured to do neither. Behan -- Behan Webster mailto:[EMAIL PROTECTED] +1-613-224-7547 http://www.verisim.com/ -- TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word unsubscribe to [EMAIL PROTECTED] . Trouble? e-mail to [EMAIL PROTECTED] .
Re: BIG NetScape Bug!!!!!!!!!!!!!!!!1 (fwd)
George Bonser [EMAIL PROTECTED] writes: My concern was for someone running Netscape as root. This should never occur. People should not run Netscape as root. (In a nutshell: Java The thought of running unknown programs as root should send a shiver down your spine...) And thirdly, since the linux versions that have been released are unsupported, it is possible that there will not be patched releases of the earlier versions. This concenrs me if the exploit is made public after the patched release of the supported versions. There have already been exploits made public on Bugtraq, I believe. And once Communicator for Linux is officially released, we won't have to worry about it any more. -- John Goerzen | Running Debian GNU/Linux (www.debian.org) Custom Programming| [EMAIL PROTECTED] | -- TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word unsubscribe to [EMAIL PROTECTED] . Trouble? e-mail to [EMAIL PROTECTED] .
BIG NetScape Bug!!!!!!!!!!!!!!!!1 (fwd)
Better take this SERIOUSLY folks, it is a VERY big bug ... major security hole. It allows a server to see EVERYTHING on the client filesystem. George Bonser [EMAIL PROTECTED], [EMAIL PROTECTED] -- Forwarded message -- Date: Thu, 12 Jun 1997 21:06:45 -0500 From: Francisco Benavides [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: BIG NetScape Bug1 Hi, A HUGE flaw was uncovered in the new NetScape, for more details: http://cnnfn.com/digitaljam/9706/12/netscape_pkg/ Bye/Francisco :) -- TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word unsubscribe to [EMAIL PROTECTED] . Trouble? e-mail to [EMAIL PROTECTED] .