Google Groepen ondersteunt geen nieuwe Usenet-berichten of -abonnementen meer. Historische content blijft zichtbaar.

Dismiss

Serious Security Bug

2 weergaven

Naar het eerste ongelezen bericht

John Robert LoVerso

ongelezen,

21 feb 1996, 03:00:0021-02-1996

aan

I just accidently did something that has horrible and rather damaging
consequences.

I have a page that has onload="foo()", where foo() executes an alert() and
a history.back(). When one user here visited the href, they got a surprising
effect: my onload and JavaScript function has gotten "stuck" and is being
executed for every page they access, including things like "about:".

I've now caused this several times, with 2.0 running on HP-UX and on Solaris.
I cannot quite reproduce it at will, but I do have a strong suspicion that
it is a combination of a busy browser and an alert popup that puts the browser
in this state. This reopens the "copy user's history bug", but with the
added consequence that I can write code that snoops on you once you've
visited my page.

Let me state that again. concisely:

I have seen a case where JavaScript imported from one page is
being executed by the Navigator for EVERY subsequent page it
renders.

The result is no security in JavaScript.

BTW, there is no magic involved in this. Just a serious bug in 2.0.
See my home page [http://www.osf.org/~loverso/]

John LoVerso
OSF Research Institute

Brendan Eich

ongelezen,

21 feb 1996, 03:00:0021-02-1996

aan

This is a real bug, but it's hard to make bite consistently. I know a
few tricks that can help, and we were always aware of the possibility of
this sort of attack, but I think your efforts to make it reproducible
merit a bug bounty because they make up for our lack of time to market
to test all the potential holes. I will pass this message on to the bug
bounty judges.

I don't agree, however, with your hyperbolic summary: "The result is no
security in JavaScript". If I can pick your front door's lock, does
your house really have "no security"? What is the cost to a bad guy of
attempting to control this bug and use it to gather mostly-useless URLs,
in the hope of capturing a secret key? Security is not a bipolar thing,
it depends on economics.

All this is my opinion, of course, and not an official pronouncement of
Netscape (if I say something really out of line with company policy,
I'll let the group know, and consider carefully what to do about such a
divergence between my opinions and the official position, myself!).

There are more profitable holes for crackers to attack than this one.
We will certainly fix it in 2.1.

/be

Larry Page

ongelezen,

25 feb 1996, 03:00:0025-02-1996

aan bre...@atm.mcom.com, lov...@osf.org

I'd just like to point out that while this is a security hole, I'd
hate to see this functionality removed completely from Netscape.

Being able to do database queries for each page could greatly enhance
existing search services. It can provide the ability to do web-wide
annotations, and many other interesting services. I'm planning to
offer such a service soon.

Perhaps this problem could be fixed just by requiring a window to be
reasonably sized and visible.

-Larry

0 nieuwe berichten