11.19.02c.txt

11.19.02c.txt: Posted Nov 20, 2002; Authored by Bennett Haselton | Site idefense.com; iDEFENSE Security Advisory 11.19.02c - Users of Netscape Communicator 4.x's web browser and e-mail client who can be tricked into clicking on a malicious link can return the contents of the targeted user's preferences file often including e-mail password and URL history back to a remote attacker who redefines user_pref(), a javascript function.; tags | advisory, remote, web, javascript; SHA-256 | 5eab9de58ab811abe7daf58eecc2038d3161def28aef9bc2de99db7a39f21201; Download | Favorite | View

11.19.02c.txt

iDEFENSE Security Advisory 11.19.02c:
http://www.idefense.com/advisory/11.19.02c.txt
Predictable Directory Structure Allows Theft of Netscape Preferences File
November 19, 2002

I. BACKGROUND

Netscape Communications Corp.'s Communicator is a popular web-browsing 
package that includes a web browser (Navigator), e-mail client, news client, 
and address book.

II. DESCRIPTION

Socially engineering users of Netscape Communicator 4.x's web browser and 
e-mail client into clicking on a malicious link could return the contents of the 
targeted user's preferences file back to a remote attacker.

The attack involves the redefinition of user_pref(), which is an internal 
JavaScript function. The redefined function constructs a string of all user 
preferences stored in the hidden field of a form and later submitted by 
another JavaScript routine. In order for the redefinition to occur, an attacker 
must store the exploit script in a Windows (or Samba) share and coerce a 
victim into following a link to it. A sample link to an attack script would look 
like file:///attacker.example.com/thief.html.  Communicator only allows local 
files to redefine internal functions.

III. ANALYSIS

Remote exploitation allows an attacker to steal user preferences, including 
the victim's real name, e-mail address, e-mail server, URL history and, in 
some cases, e-mail password.

IV. DETECTION

Netscape Communicator 4.x is vulnerable. Communicator 6 and later is not 
vulnerable, being it stores the prefs.js file in a randomized location.

V. CVE INFORMATION

The Mitre Corp.'s Common Vulnerabilities and Exposures (CVE) Project 
assigned the identification number CAN-2002-1204 to this issue.

VI. DISCLOSURE TIMELINE

08/29/2002  Issue disclosed to iDEFENSE
10/14/2002  Netscape notified (support@netscape.com, 
    info@netscape.com, pradmin@netscape.com)
10/14/2002  iDEFENSE clients notified
10/31/2002  Second attempt at vendor contact
11/07/2002  Third attempt at vendor contact
11/19/2002  Public disclosure

VII. CREDIT

Bennett Haselton (bennett@peacefire.org) discovered this vulnerability.

Top Authors In Last 30 Days

Red Hat 232 files
Ubuntu 59 files
Debian 27 files
Valentin Lobstein 11 files
LiquidWorm 11 files
nu11secur1ty 9 files
Apple 6 files
Milad Karimi 5 files
Google Security Research 5 files
Yevhenii Butenko 4 files

File Archives

Systems

AIX (429)
Apple (2,078)
BSD (376)
CentOS (58)
Cisco (1,927)
Debian (7,022)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,467)
HPUX (880)
iOS (373)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (49,318)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (488)
RedHat (15,567)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,456)
UNIX (9,394)
UnixWare (187)
Windows (6,650)
Other

11.19.02c.txt

11.19.02c.txt

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

11.19.02c.txt

Share This

11.19.02c.txt

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems