Mac/At Ease/Netscape File Access Exploit

Nathan Dorfman (nathan@SENATE.ORG)
Tue, 20 May 1997 18:10:15 -0400

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Ervin Fried: "Re: OOB Bug stills persists after hot fix"
Previous message: Aleph One: "Re: export USER="root""
Next in thread: Paul Melson: "Re: Mac/At Ease/Netscape File Access Exploit"

Please don't flame me for posting Mac stuff to a UNIX list I see NT
crap here all the time, and thought some admins may think twice before
running At Ease (or before running Macs in the first place).

SYNOPSIS: At Ease apparently doesn't patch the kernel to introduce file
restrictions, but modifies a library that programs call to display an
Open File dialog box.

IMPACT: This bug allows a user to read files and directories he shouldn't
have access to under the At Ease system.

DESCRIPTION: Under At Ease, files and folders that you shouldn't have access
to are grayed out in Open File dialogs. Using a program like Netscape you
can bypass the dialog, using a URL such as:

file://TZHS%20HD%202/Documents/Dorfman%20Nathan

Note that the implementation of Netscape used automatically converted
spaces to %20 combinations as required by HTTP 1.1 (RFC 2068):

file://TZHS HD 2/Documents/Dorfman Nathan/

Will show the contents of that folder. For non-text files, you can simply
save the file into a folder you DO have access to and use the appropriate
program to open it.

EXTRA NOTES: Netscape will not let you modify the folders but a simple program
can be written that takes a filename in a text-box and opens the file from its
location, without copying. If you can write Mac code, and are willing to,
please send to nathan@senate.org.

Next message: Ervin Fried: "Re: OOB Bug stills persists after hot fix"
Previous message: Aleph One: "Re: export USER="root""
Next in thread: Paul Melson: "Re: Mac/At Ease/Netscape File Access Exploit"