First off - I've posted this before (however not to this group) and only
got a response from the Netscape Corp. They were glad I found the
problem and said that they would fix it, however I feel that people
should know about it. Also I would like people to help me spread this
document around, i.e. if you know of a newsgroup (or people) that would
find this interesting then please re-postit.
On with the problem...
I've recently got hold of the latest netscape, and was (at first) very
excited about the new "LiveScripts" that it supports. If people don't
yet know - these "LiveScripts" allow you to put small programs into your
web page that is then executed by the Netscape client. There is no
DIRECT way for these programs to send information back to the owner of
the web page, however I was able to do it in a not-so-direct way.
The "LiveScript" that I wrote extracts ALL the history of the current
netscape window. By history I mean ALL the pages that you have visited
to get to my page, it then generates a string of these and forces the
Netscape client to load a URL that is a CGI script with the QUERY_STRING
set to the users History. The CGI script then adds this information
to a log file. Now if this hasn't quite CLICKED yet lets do a little
Johnny Mnemonic starts up his newly acquired version of Netscape2.0b2
to start his daily "surf" session. First he decides to check his CD-NOW
purchase and uses the handy Auto-Login URL. Then he decides to go to
Lycos and do a search. In his search he find my page, which he decides
to visit. Suddenly he is transported, not to my main page but to one
of my CGI scripts, which in turn happens to have ALL the URL's he just
been to in it. This means that in my log will be:
- the URL to use to get into CD-NOW as Johnny Mnemonic, including
username and password.
- The exact search params he used on Lycos (i.e. exactly what he
- plus any other places he happened to visit.
I do this in a way that the user will KNOW that it has happened and
will _hopefully_ email Netscape and tell them they are NOT impressed.
But it would be EASY for me to change the CGI script so that the user
is unaware that it has actually happened, unless they closely examine
their URL history (in fact they'll probably just think its a netscape
If you're skeptical about this then do the test yourself. Get netscape
2.0b2 and do some normal surfing, and then go to Lycos. Do a search for:
scotts car boot sale
which should return the URL - http://www.tripleg.com.au/staff/scott
Click on the URL and sit back an watch. First my main page will show up
but a little while later you should be transported to a CGI bin script
that will show you your URL history.
I have tested this with both the Linux 2.0b2, and Solaris 2.0b2 versions
and both have done the same thing. I would be interested in knowing if
it happens for ALL versions of Netscape2.0b2. The log file does log
the User Agent (i.e. the name of the platform you are using) so by simply
going to the page I will know that your version of Netscape is also
open to this form of attack.
Currently I can find no way to configure Netscape2.0b2 to NOT run
LiveScripts - and at the very least this option should be quickly
added to the next version of netscape to be released. But a far
better solution (IMHO) would be for netscape to pop up a window before
running the LiveScript and let you know what the LiveScript wants access
to, e.g. if it only wants to print out the current time then that's
OK, but if it wants to read my history list and then transport me to
a CGI script and add me to a logfile then maybe I would say NO.
I think I've said enough....
If you've got any further questions, or want some more information just
email me : sc...@tripleg.com.au
Quote from a car accident insurance claim: "I told the police that I was
not injured, but on removing my hat, I found that I had a skull fracture."