Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.

Dismiss

Serious Security Bug

3 views

Skip to first unread message

John Robert LoVerso

unread,

Feb 21, 1996, 3:00:00 AM2/21/96

I just accidently did something that has horrible and rather damaging
consequences.

I have a page that has onload="foo()", where foo() executes an alert() and
a history.back(). When one user here visited the href, they got a surprising
effect: my onload and JavaScript function has gotten "stuck" and is being
executed for every page they access, including things like "about:".

I've now caused this several times, with 2.0 running on HP-UX and on Solaris.
I cannot quite reproduce it at will, but I do have a strong suspicion that
it is a combination of a busy browser and an alert popup that puts the browser
in this state. This reopens the "copy user's history bug", but with the
added consequence that I can write code that snoops on you once you've
visited my page.

Let me state that again. concisely:

I have seen a case where JavaScript imported from one page is
being executed by the Navigator for EVERY subsequent page it
renders.

The result is no security in JavaScript.

BTW, there is no magic involved in this. Just a serious bug in 2.0.
See my home page [http://www.osf.org/~loverso/]

John LoVerso
OSF Research Institute

Brendan Eich

unread,

Feb 21, 1996, 3:00:00 AM2/21/96

This is a real bug, but it's hard to make bite consistently. I know a
few tricks that can help, and we were always aware of the possibility of
this sort of attack, but I think your efforts to make it reproducible
merit a bug bounty because they make up for our lack of time to market
to test all the potential holes. I will pass this message on to the bug
bounty judges.

I don't agree, however, with your hyperbolic summary: "The result is no
security in JavaScript". If I can pick your front door's lock, does
your house really have "no security"? What is the cost to a bad guy of
attempting to control this bug and use it to gather mostly-useless URLs,
in the hope of capturing a secret key? Security is not a bipolar thing,
it depends on economics.

All this is my opinion, of course, and not an official pronouncement of
Netscape (if I say something really out of line with company policy,
I'll let the group know, and consider carefully what to do about such a
divergence between my opinions and the official position, myself!).

There are more profitable holes for crackers to attack than this one.
We will certainly fix it in 2.1.

/be

Larry Page

unread,

Feb 25, 1996, 3:00:00 AM2/25/96

to bre...@atm.mcom.com, lov...@osf.org

I'd just like to point out that while this is a security hole, I'd
hate to see this functionality removed completely from Netscape.

Being able to do database queries for each page could greatly enhance
existing search services. It can provide the ability to do web-wide
annotations, and many other interesting services. I'm planning to
offer such a service soon.

Perhaps this problem could be fixed just by requiring a window to be
reasonably sized and visible.

-Larry

0 new messages