After executing the testommunicator 4.7 (NT/win2k) vulnerability - After executing the test hyperlink on beavuh.org's page on his client machine, he was able telnet to a remote shell on port 6968 of my client machine. Test your browser at www.beavuh.org.
e2a585f482ecb2acb3525271250492dd269005d88c07c89103a93cdef0239055
<!DOCTYPE HTML PUBLIC "html.dtd">
<HTML>
<BODY BGCOLOR="#000000" TEXT="#FFFFFF"><PRE>
<FONT COLOR="#CC0000">COMMAND</FONT>
Netscape Communicator 4.7
<FONT COLOR="#CC0000">SYSTEMS AFFECTED</FONT>
Netscape Communicator 4.7 (NT/win2k)
<FONT COLOR="#CC0000">PROBLEM</FONT>
dark spyrit found following. Here's an exploit for the 4.7 hole
released not so long ago. Head to
<FONT COLOR="#00FF00">
http://www.beavuh.org
</FONT>
to test your system. It has been tested on NT only, but should
also work on win2k.. the exploit would need recoding for 9x -
More details are available on the page.
Zach Thompson tested this vulnerability on a Win2k Professional
machine (AKA WinNT WS 2000) running the currently downloadable
version of Communicator 4.7 and found it to be vulnerable. After
executing the test hyperlink on beavuh.org's page on his client
machine, he was able telnet to a remote shell on port 6968 of my
client machine.
One thing to note though. After clicking on this link,
Communicator stopped responding and Zach let it sit for about 3
minutes thinking it might come back. Eventually he had to kill it
with Task Manager. After killing Netscape, the remote shell was
lost on the target machine and the Telnet session was
disconnected. This only leaves a small amount of time for the
malicious person to exploit the remote shell before the end user
kills Netscape for not responding.
<FONT COLOR="#CC0000">SOLUTION</FONT>
It appears Netscape has patched the version that is currently
available for download.
</PRE></BODY>
</HTML>