shockwave / netscape security hole

[ Zettels Traum ] [ search / suche ]

von dp am 15.Maerz 97 um 17:06:41:

zu: shockwave und Ausgabe in Dateien von Daniel am 22.Dezember 96 um 15:43:57:

Here's the current info I have, as of 3:30pm PST Friday:

-- WIRED reported Thursday morning that you could use a "getNetText" in
Shockwave to call out through Netscape Mail and read email on the local drive,
if you knew the path to the email.

-- This story has been picked up by a few other services, but is not yet

-- WIRED ran another story on Friday. A Netscape representative advises using
either their beta Communicator software, or using the D6 plugin. We do *not*
recommend use of the D6 plugin to solve this problem -- it is merely a preview
version for checking D6 features, and is not yet fully backwards-compatible with
all existing D4 and D5 sites, in all browsers, versions, and platforms.

-- The Shockwave team has been working on a new set of D5 plugins which we hope
to have available on the Macromedia website this weekend. These will lock off
the ability to exploit this hole in Netscape Mail.

-- According to MacInTouch, this hole can read any email on the local drive,
assuming you know the path to it. Someone has reported success in reading a
Eudora mailbox that was in the default position on the drive.

-- What can you do? Use beta Netscape Communicator or another browser. Use the
new Shockwave plugins available this weekend. Do not keep your mail in its
default installation directory. Create a new mailbox with a custom name for
sensitive mail. Any of these would foil the potential problem.

Summary: Yes, there is a way to read email, if a set of constraints is
satisfied. Netscape currently recommends using their beta browser. Macromedia
expects to have new plugins this weekend. There are also other things you can do
to prevent a hostile website from reading your email.

John Dowdell
Macromedia Tech Support

Okay...I've kept quiet long enough on this subject because I didn't want to make this situation worse. But the Netscape security model really needs to be fixed because I can show you a Shockwave which can (theoretically) get to *any* file on the user's hard disk without using the mailbox protocol.

Here is the link to the demo:

Mind you that I have not and will not disclose the method publicly because of the even greater security risk. Macromedia engineers please contact me directly for the method (no fake engineers I hope).


P.S. The demo Shockwave works under both Mac and Windows (3.1 & 95) and will show the appropriate screens. Note that on the Mac, the default volume & path names are required for it to work; it is much easier to get to files under Windows. Although the demo only retrieves text files (Autoexec.bat & Config.sys on the PC and Bookmarks.html on the Mac), I managed to get it to read binary files off my hard drive.

_______________________________________________ __________________

Dave Yang


D. Plänitz