Re: Netscape Exploit

Sevo Stille (sevo@inm.de)
Sun, 15 Jun 1997 14:54:05 +0200

> Von: Justin C. Ferguson <jferg@ACM.ORG>
>... [crude attempt using file upload deleted]
> Unless I'm missing something here, this method _does_not_ work. This
> was my first idea when I first heard about the bug as well, but from what I can
> tell, it's not possible to set a value (or a defaultValue using JavaScript) for
> a file type input. The only way even remotely possible way I can see to do
> do this is perhaps through the fact that netscape caches form data for reposts,
> and some trick here regarding reloading the page.

Of course, another way would be smashing an internal Netscape stack to insert
a filename into that readonly field.

But there is another possible loophole - it has always been possible to access
random javascript elements from a document in another frame or window. This
works with any Javascript containing document, whether local or on a server,
as long as the objects aren't tainted, and it is commonly used to feed dynamic
data into Javascript documents.
However it is hardly exploitable - nobody will use Javascript objects to store data
on his disks, and the plain text body of a document is no readable property of
document. But any bug which exposes the document text - like a accessible
internal property of the navigator parser - would make any file vulnerable.

Sevo