Netscape Communicator 4.x will allow javascript code in one netscape window to read data from another browser window, even if the two windows are pointed at different domains. Demonstration here.
78532de37047a0f01fce8f4aff77ba175cc8163011408ee025f978c0e9cea369Netscape 4.x javascript security flaw
Versions tested: Windows98/Netscape4.7,Windows95/Netscape4.05
Description: (Credits to Henri Torgemane)
Netscape has a "persistent" navigator object, which means that any data put
in the window.navigator object will be accessible to every other window as long
as the browser is running. This is slightly worse than non-persistent cookies
since it works across domains. (not by much.. advertisers didn't wait for this
feature to track users from different sites)
Any window that somehow gets an handle to another window can look at it.
If you try to explore the objects inside that window, you'll see pretty much
every global function and variable defined on that window. But you cannot see
"sensitive" objects like document, history, location, etc..
This is mostly an attempt at not breaking compatibility with scripts developed
with previous versions of Navigator: Every object can be accessed except those
known to be sensitive.
(Credits to Ahmed Ghandour)
ex:
<script language="javascript">
navigator.secretWindowReference = self;
</script>
Its not possible (un least I dont found any way yet) to access sensitive objects
like document location or form, but if the window javascript code
copy any of this values into a global javascript variable(which a lot of sites do) the user can
gain access to this sensitive information.
ex.
<script language="javascript">
var myForm = document.forms[0]; // Now the form is visible and modicable from any other window
</script>
Another way to access sensitive information is overridden some global function which
receive sensitive information parameters
ex.
<script language="javascript">
// original web-site javascript function
function validForm(form){
// do some form checkings..
}
// my spy function which will overridden the original one
function validFormSpy(form){
// get the form values and send to my email...
}
navigator.secretReferenceWindow.validForm = validFormSpy;
// Now everytime the page call the validForm function I will receive a copy
// of the form object wich I can access and modify the way I want.
</script>
If you go to the demo page you can see the function example above in action,
I did this in the Online Crestar bank home page.
Solution:
Turn of javascript
Subject: Re: Netscape communicator 4.x Javascript security flaw
Date: Fri Nov 26 1999 09:03:16
Author: Ahmed Ghandour
>But you cannot use it to automatically grab form data as >was implied
>on the nsSecurityFlaw1.html page.
I know this but what you can do is overriden a global function like validForm(form)wich you can found in the crestar bank page with your own function and that way you can have access to his document.form object and also grab his customer number and pin code!
You can do one script to automatic overriden any javascript function in any page from any domain visit by the user! And this is a big security hole!
Thanks
Ahmed Ghandour
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed