VeriSign, Inc.® US Home | Worldwide Sites | Site Map
Products & Services Solutions Support About VeriSign Login for existing VeriSign customers
You Are Here: US Home > VeriSign iDefense Security Intelligence Service > Current Intelligence > Vulnerability Advisories > 2002 > 11.19.02

Predictable Directory Structure Allows Theft of Netscape Preferences File

I. BACKGROUND

Netscape Communications Corp.'s Communicator is a popular web-browsing package that includes a web browser (Navigator), e-mail client, news client, and address book.

II. DESCRIPTION

Socially engineering users of Netscape Communicator 4.x's web browser and e-mail client into clicking on a malicious link could return the contents of the targeted user's preferences file back to a remote attacker.

The attack involves the redefinition of user_pref(), which is an internal JavaScript function. The redefined function constructs a string of all user preferences stored in the hidden field of a form and later submitted by another JavaScript routine. In order for the redefinition to occur, an attacker must store the exploit script in a Windows (or Samba) share and coerce a victim into following a link to it. A sample link to an attack script would look like file:///attacker.example.com/thief.html.  Communicator only allows local
files to redefine internal functions.

III. ANALYSIS

Remote exploitation allows an attacker to steal user preferences, including the victim's real name, e-mail address, e-mail server, URL history and, in some cases, e-mail password.

IV. DETECTION

Netscape Communicator 4.x is vulnerable. Communicator 6 and later is not vulnerable, being it stores the prefs.js file in a randomized location.

V. CVE INFORMATION

The Mitre Corp.'s Common Vulnerabilities and Exposures (CVE) Project assigned the identification number CAN-2002-1204 to this issue.

VI. DISCLOSURE TIMELINE

08/29/2002 Issue disclosed to iDEFENSE
10/14/2002 Netscape notified (support@netscape.com,
info@netscape.com, pradmin@netscape.com)
10/14/2002 iDEFENSE clients notified
10/31/2002 Second attempt at vendor contact
11/07/2002 Third attempt at vendor contact
11/19/2002 Public disclosure

VII. CREDIT

Bennett Haselton (bennett@peacefire.org) discovered this vulnerability.


Need more information?
Speak with a service representative at 650-426-5310 Request information online


Contact Us
Please contact sales at
650-426-5310 or
submit your inquiry online.
VeriSign iDefense Security Intelligence Service
Security Intelligence Service Levels
Alerts, Reports, and Briefings
Methodology
Research and Response Teams
Current Intelligence
Topical Research Reports
Vulnerability Advisories
Malicious Code Advisories
Information Center
Security Intelligence Webcasts
Proactive Security Intelligence
Intelligence for Patch Management
Early Threat Warning
Contact Us Careers Legal Notices Privacy Repository ©1995-2007 VeriSign, Inc. All rights reserved.
Products & Services  :  Solutions  :  Support  :  About VeriSign  :  Existing Customers
US Home  :  Worldwide Sites  :  Site Map  :  Search
VeriSign (Nasdaq: VRSN) operates intelligent infrastructure services that enable and protect billions of interactions across the world's voice and data networks. VeriSign offerings include SSL Certificates, two-factor authentication, identity protection, managed network security, public key infrastructure (PKI), security consulting, information management, as well as solutions for intelligent communications, commerce, and content. VeriSign is also building next-generation service offerings for emerging opportunities such as RFID-enabled supply chains, VoIP technology, and digital-content distribution over mobile and broadband networks.