JAVASCRIPT PROBLEMS I'VE DISCOVERED These have all been reported back to Netscape. The press had a spotty record of reporting correctly on this. I've prepared a small report on the stories I've seen. I'm amazed at how inaccurate some of the stories are! You'd think that they would have at least read some of what I've written! If you see an article in the press mentioning these pages, please let me know. _________________________________________________________________ * (4/1) I will be making the 3/18 and 3/21 exploits available shortly, since they are fixed in 3.0b2. --> * (3/29) Netscape has gotten some fixes into 3.0b2. Of my three exploits that I reported against 2.01, only the new history tracker continues to work (I.e., the others were fixed in response to my report). * (3/22) Here is a note to the www-security list I wrote describing the latest problems I know affecting 2.01. * (3/21) I have a means (using 2.0 or 2.01) to read and retrieve files off a user's disk. It requires a minimal forms interaction by the user (MEANING: the user has to click on something to invoke the file read). I am not making this exploit available at this time. * (3/18) I have modified the "directory browser" exploit such that it works with 2.01. I am not making this exploit available at this time. * (3/18) Building on the item I discovered on 3/15, I found that if I click on Cancel in the Save dialog, it invokes the "stuck onload" bug I reported on 2/21 in a determinist fashion. Trying to create such a repeatable incarnation of this bug is what lead me to my "tracker" in the first place. Anyway, utilizing a Save File dialog as the initiator, this lets me build a history tracker that works with 2.01. I've created a sample exploit. This writes the the same log as my 2/22 tracker, so use this to view the tail of the logfile. Note that with 2.01, the 1x1 window previously used ends up being bigger, so you can easily see it flash. And, the "stuck onload" gets "unstuck" by visiting another page with an onLoad() tag. This may not be a very intriguing way to spy on someone. * (3/15) NOTE: This item in and of itself is not necessarily a security problem. JavaScript loaded from some page can write to local files on your disk. This info is from my news posting to the devs-javascript group. This is the basic bit of code: document.open("Can I write to your disk?") document.write("") document.close() This trick requires the user to go through a File Save dialog, and hence, is not transparent. The user chooses the file name, but I'm able to write to disk none-the-less. This is quite against the stated fact that JavaScript is "Secure. Cannot write to hard disk" - and this works in 2.01. Try my example. For me, this always caused a GPF on Windows NT. That is, once the File Save dialog appeared, no matter what I selected, it went poof! It seems to core dump the UNIX version of Navigator if you don't open up a new window relatively fast (i.e., before you go to some other JavaScript laden page). I've found that nasty things begin to happen if you click on Cancel in the Save dialog (see 3/18 for details). Note that the file never gets closed until you exit Netscape, so small writes tend to get buffered up and not output. These above mentioned bugs with this mechanism initially lead me to believe that the ability to write files was errantly added to JavaScript. Brendan Eich has since informed me that this ability is intentional, or at least, known about. * (2/22) I discovered a way to make my JavaScript stay resident in a new window, so that I can track your history in real time. This problem has been fixed in Netscape-2.01; see Netscape's security note on Java and JavaScript. You can read the original article I posted to the RISKS Forum on this problem. That whole issue is also available in the archive in the UK. Another article of interest appeared Keith Dawson's TBTF on Feb 28. * (2/21) I've seen JavaScript stay resident after you leave a page. This is what I call the "stuck onload()" problem, and is a BUG (still in 2.01). * (2/13) The bug in Netscape 2.0b3 that allowed JavaScript to directory browse lives on in the 2.0 release, even after Netscape told us it was fixed. This is fixed in Netscape-2.01. * This is a classified as a red herring, but JavaScript has the ability to toss up arbitrary alert boxes. I used to have this one pop up on my home page. I wanted this message to sound really bad. This was before I wrote the tracker. A more interesting message would be Please type your password or something similar. * There are hundreds of exciting things to do with Netscape 2.0 and JavaScript. WARNING: viewing this page may damage or crash Netscape. _________________________________________________________________ John Robert LoVerso, OSF Research Institute Last modified on Monday, 01-Apr-96 14:51:07 EST. This page accessed 16247 times.