And this came in moments after my previous post: 'Jeff Uphoff wrote:' >From [EMAIL PROTECTED] Wed Mar 6 12:52:09 1996 >Date: Wed, 6 Mar 1996 11:29:21 -0500 >Message-Id: <[EMAIL PROTECTED]> >From: Jeff Uphoff <[EMAIL PROTECTED]> >To: [EMAIL PROTECTED] >Subject: [linux-security] more Java/Netscape holes (fwd) >X-Palindrome: Racecar. >X-Mailer: VM 5.95 (beta); GNU Emacs 19.29.1 >X-Attribution: Up >Sender: [EMAIL PROTECTED] >Precedence: list > >[Forwarded to me from Ruth Milner at NRAO.] > >------- start of forwarded message (RFC 934 encapsulation) ------- >Date: Fri, 01 Mar 1996 20:25:14 -0500 >From: Jack Decker <[EMAIL PROTECTED]> >Subject: Java/JavaScript security breaches > >If you are running Netscape 2.0 on your system, and are at all concerned >about security or privacy, you should run, not walk to this URL: > >http://www-genome.wi.mit.edu/WWW/faqs/www-security-faq.html >The World Wide Web Security FAQ > >Pay special attention to questions 69 through 71. Number 71 in particular >discusses: > >* How a JavaScript page could grab a user's e-mail address from Netscape's >preferences dialog and send it across the Internet. > >* A script that can open up a small window that continuously monitors the >user's browsing activity, capture the URLs of open documents, and transmit >them to a remote server. > >* A script that can obtain recursive directory listings of the user's local >disk and any network disks that happen to be mounted. This information can >be transmitted anywhere in the Internet. > >* How the version of JavaScript that was included with beta versions of >Netscape 2.0 contained holes that allow the user's history and cache files >(both of which contain lists of recently-visited URLs) to be captured. > >I have not seen any information on this before today, so I suspect that >other Netscape users might want to know about these risks! >------- end ------- > >Anyone out there looked into any of this? I know it's not Linux >specific, but since so many novice admins are putting Linux systems up >on the net--largely for the purpose of WWW browsing and serving--the >potential for Linux-impacting abuse is quite large. > >The most worrying point, to me, is the third one: transmissions of >recursive directory listing from your host to arbitrary remote >locations. I'm wondering, since most of the world still runs Netscape >under MS-Windows, if this hole applies just to that pseudo-OS--or if it >applies to UNIX/Linux as well. The terminology used ("network disks") >sounds somewhat non-UNIXish (since UNIXers usually say "network >filesystems"), so that's why I'm wondering what the scope of the hole >is.... > >Feedback much appreciated, especially since the net, with Java and the >like, just seems to be begging for more security problems. (As if there >aren't already enough!) > >--Up. > >P.S. Everyone with any security concerns and WWW involvement should >definitely view the above-listed URL! >
-- Christopher J. Fearnley | UNIX SIG Leader at PACS [EMAIL PROTECTED] | (Philadelphia Area Computer Society) http://www.netaxs.com/~cjf | Design Science Revolutionary ftp://ftp.netaxs.com/people/cjf | Explorer in Universe "Dare to be Naive" -- Bucky Fuller | Linux Advocate
