More information about JavaScript bug

Dominick Matthias PN OIL 6 (matthias.dominick@PN.SIEMENS.DE)
Fri, 11 Jul 1997 16:07:00 +0200

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Alex Libenson: "new post SP3 hotfix: lm-fix"
Previous message: Manley, Jim W: "(no subject)"

It seems that some people didn't know what I was talking about so I'm
going to explain it a little bit more in detail.

First of all some people suggested to upgrade to Netscape Communicator
4.01 which is a not solution for us right now because we would have to
upgrade thousands of PC's with a complete new version which means a lot
of support for us because the gui changed so much. So for us it means to
stay with version 3.x right now.

I got the impression that people didn't realize I was talking about two
different bugs:
1) the first one discovered by a Danish IS consultant company which
enabled a site to retrieve a file from a client via the http protocol
assuming location and name of the file was known to the site. To hide
this action from the user the site would have to use JavaScript but in
general (if you submitted forms to the site) it worked without
JavaScript.
2) the second bug is totally JavaScript related and enables a site to
monitor all activities (visited URL's) including *all* submissions into
forms at *other* servers!! You can find more information incl. a live
demonstration @ http://www.aleph2.com/tracker/ Imagine you visit a
malicious site and afterwards you visit an online store giving your
credit card number and/or password...

# 1) was fixed with Netscape Communicator 4.01 and as far as I know bug
# 2 wasn't publically known at this time so Netscape couldn't fix that
bug.

While Netscape promised to fix Netscape Navigator 3.01 shortly
afterwards, nothing happened for quite a while. In the middle of this
week I got aware of bug #2 and shortly afterwards Netscape released 3.02
saying that this version fixes bug #1 and another JavaScript bug found
by an employee at Bell labs. At this time I wasn't sure if this was bug
#2 or another one. Netscape promised to fix the Bell labs bug with
Netscape communicator 4.02 so this would mean that 3.02 would be even
safer than 4.01.

So I downloaded 3.02 for Windows 95 and confirmed that bug #1 got fixed.
However connecting with 3.02 @ tracker it will still track my URL's and
form submissions. The programmer programmed an even better solution
where - under normal circumstances you won't even realize that all your
visits are tracked.

Connecting with 4.01 to this site it still tries to track down my URL's
but they don't get written to the log file so now I'm even more
confused.

What I have learned so far that either using 3.02 or 4.01 I will
definitely disable JavaScript because in my opinion bug #2 can be *very*
dangerous! I hope Netscape will shortly release a new version of
Navigator and Communicator which will fix bug #2.

Bye
-- Matthias

Next message: Alex Libenson: "new post SP3 hotfix: lm-fix"
Previous message: Manley, Jim W: "(no subject)"