| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: dendler at idefense.com (David Endler) Subject: iDEFENSE Security Advisory 11.19.02c: Netscape Predictable Directory Structure Allows Theft of Preferences File -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 iDEFENSE Security Advisory 11.19.02c: http://www.idefense.com/advisory/11.19.02c.txt Predictable Directory Structure Allows Theft of Netscape Preferences File November 19, 2002 I. BACKGROUND Netscape Communications Corp.'s Communicator is a popular package that includes a web browser (Navigator), e-mail client, news client, and address book. II. DESCRIPTION Socially engineering users of Netscape Communicator 4.x's web browser and e-mail client into clicking on a malicious link could return the contents of the targeted user's preferences file back to a remote attacker. The attack involves the redefinition of user_pref(), which is an internal JavaScript function. The redefined function constructs a string of all user preferences stored in the hidden field of a form and later submitted by another JavaScript routine. In order for the redefinition to occur, an attacker must store the exploit script in a Windows (or Samba) share and coerce a victim into following a link to it. A sample link to an attack script would look like file:///attacker.example.com/thief.html. Communicator only allows local files to redefine internal functions. III. ANALYSIS Remote exploitation allows an attacker to steal user preferences, including the victim's real name, e-mail address, e-mail server, URL history and, in some cases, e-mail password. IV. DETECTION Netscape Communicator 4.x is vulnerable. Communicator 6 and later is not vulnerable, being it stores the prefs.js file in a randomized location. V. CVE INFORMATION The Mitre Corp.'s Common Vulnerabilities and Exposures (CVE) Project assigned the identification number CAN-2002-1204 to this issue. VI. DISCLOSURE TIMELINE 08/29/2002 Issue disclosed to iDEFENSE 10/14/2002 Netscape notified (support@...scape.com, info@...scape.com, pradmin@...scape.com) 10/14/2002 iDEFENSE clients notified 10/31/2002 Second attempt at vendor contact 11/07/2002 Third attempt at vendor contact 11/19/2002 Public disclosure VII. CREDIT Bennett Haselton (bennett@...cefire.org) discovered this vulnerability. Get paid for security research http://www.idefense.com/contributor.html Subscribe to iDEFENSE Advisories: send email to listserv@...fense.com, subject line: "subscribe" About iDEFENSE: iDEFENSE is a global security intelligence company that proactively monitors sources throughout the world — from technical vulnerabilities and hacker profiling to the global spread of viruses and other malicious code. Our security intelligence services provide decision-makers, frontline security professionals and network administrators with timely access to actionable intelligence and decision support on cyber-related threats. For more information, visit http://www.idefense.com. - -dave David Endler, CISSP Director, Technical Intelligence iDEFENSE, Inc. 14151 Newbrook Drive Suite 100 Chantilly, VA 20151 voice: 703-344-2632 fax: 703-961-1071 dendler@...fense.com www.idefense.com -----BEGIN PGP SIGNATURE----- Version: PGP 7.1.2 Comment: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x4B0ACC2A iQA/AwUBPdrFIUrdNYRLCswqEQJO8QCeLSkaHcdHYKxSR+4gP4b3gX8KADcAnj7p M0apHRqvhaWN4jthj57zhgNO =QPPR -----END PGP SIGNATURE-----
Powered by blists - more mailing lists