Re: Netscape Exploit

Edwin Li-Kai Liu (robin.hood@IBM.NET)
Sun, 15 Jun 1997 17:52:26 +0700

This is a multi-part message in MIME format.

--Boundary_(ID_vjQavMuCVyfpVy/7sf2gtg)
Content-type: text/plain; charset=iso-8859-1
Content-transfer-encoding: 8bit
Content-transfer-encoding: 8bit

Please "view" the html source to check if it hurts before viewing this
page. I have written anything I want to say in this document.

--

Robin Hood ------------------------------------ Dreaming of a butterfly, fly into the sky. 夢想變成蝴蝶,飛上天空。

--Boundary_(ID_vjQavMuCVyfpVy/7sf2gtg) Content-type: text/html; name=eviljava.html; charset=us-ascii Content-disposition: inline; filename=eviljava.html Content-transfer-encoding: 7bit Content-Base: "file:///C|/Download/eviljava.html"

Netscape Bug Test


   

The Netscpae Bug Test Page

The following is how I have tried, in order to show my responsibility to my postings on the mail-list

Failure History:

  1. Generate the Input Type tag by JavaScript document.write function. I
     hope the bug is due to the lack of check in document.write. Reason of
     failure: document.write treats the code as usual.
  2. Assign a value by JavaScript. Reason of failure: Value ignored.
  3. Try to assign a default value to Input Type, then Reset to force to set
     again. Reason of failure: No effects.
  4. Try to assign a default value to a different type, then force the input
     type to change to FILE. Reason of failure: TYPE is READONLY.
  5. Try OPEN property of input type/file. Reason of failure: open is not a
     function.
  6. Try to have more than one element named SIMPLE in order to try to
     confuse Netscape. Then try to set the form value of SIMPLE. Reason of
     failure: Netscape not confused.
  7. Try to assign a value to a textbox and paste it to the textbox provided
     by InputType/File. Reason of failure: no such function to do that.
  8. Try to replace the VALUE attribute to FILENAME in SIMPLE. (Please look
     at the result produced by the CGI program. Reason of failure: doesn't
     work.
  9. Multiple SIMPLE File Inputs all placed after SIMPLE Hidden Input.
     Reason of failure: Cannot even set up the file name manually.

I still believe that the way that allows the server to get the file contents but requires the knowledge of the exact path name and file name, is to use the INPUT TYPE/File method. However, there seemed very difficult to force assigning a file to that form element. Therefore, in my hypothesis, there should be a bug that will let a JavaScript program to set the value for a secured form element.

The possible way to research might be: JavaScript and Security; Form Data Manipulation; or related topics about JavaScript. However, it is not necessary to stick with Client Side JavaScript. I am not sure about the impossibility to use a server side JavaScript to accomplish this. Maybe the problem is due to JavaApplet not JavaScript. The best way, but the most difficult way is to debug the Netscape program in order to clarify this.

I think this is definitely out of our topic to search for a bug for Netscape, that originally we just want to "guess" how the bug works for hacking. Well, if someone really want the one thousand US dollars reward and a T-shirt, that person may continue to do so. I will not research for this anymore. But if you do find the bug, I wish that you can give me the T-shirt. :-)

If you have any questions, it is welcome to e-mail to robin.hood@ibm.net. I will be glad to take your comments. Special thanks to Justin C. Ferguson, who provides the server side cgi-bin program that eases my testings.

--Boundary_(ID_vjQavMuCVyfpVy/7sf2gtg)--