von dp am 15.Maerz 97 um 17:06:41:
zu: shockwave und Ausgabe in Dateien von Daniel am 22.Dezember 96 um 15:43:57:
Here's the current info I have, as of 3:30pm PST Friday:
-- WIRED reported Thursday morning that you could use a "getNetText" in
Shockwave to call out through Netscape Mail and read email on the local drive,
if you knew the path to the email.
-- This story has been picked up by a few other services, but is not yet
-- WIRED ran another story on Friday. A Netscape representative advises using
either their beta Communicator software, or using the D6 plugin. We do *not*
recommend use of the D6 plugin to solve this problem -- it is merely a preview
version for checking D6 features, and is not yet fully backwards-compatible with
all existing D4 and D5 sites, in all browsers, versions, and platforms.
-- The Shockwave team has been working on a new set of D5 plugins which we hope
to have available on the Macromedia website this weekend. These will lock off
the ability to exploit this hole in Netscape Mail.
-- According to MacInTouch, this hole can read any email on the local drive,
assuming you know the path to it. Someone has reported success in reading a
Eudora mailbox that was in the default position on the drive.
-- What can you do? Use beta Netscape Communicator or another browser. Use the
new Shockwave plugins available this weekend. Do not keep your mail in its
default installation directory. Create a new mailbox with a custom name for
sensitive mail. Any of these would foil the potential problem.
Summary: Yes, there is a way to read email, if a set of constraints is
satisfied. Netscape currently recommends using their beta browser. Macromedia
expects to have new plugins this weekend. There are also other things you can do
to prevent a hostile website from reading your email.
Macromedia Tech Support
Okay...I've kept quiet long enough on this subject because I didn't want to make this situation worse. But the Netscape security model really needs to be fixed because I can show you a Shockwave which can (theoretically) get to *any* file on the user's hard disk without using the mailbox protocol.
Here is the link to the demo: http://www.magic.ca/~qwi/insecure.html
Mind you that I have not and will not disclose the method publicly because of the even greater security risk. Macromedia engineers please contact me directly for the method (no fake engineers I hope).
P.S. The demo Shockwave works under both Mac and Windows (3.1 & 95) and will show the appropriate screens. Note that on the Mac, the default volume & path names are required for it to work; it is much easier to get to files under Windows. Although the demo only retrieves text files (Autoexec.bat & Config.sys on the PC and Bookmarks.html on the Mac), I managed to get it to read binary files off my hard drive.