Slashdot Mirror
Major new security bug in Netscape
SCF writes "This article
illustrates yet another browser security bug. This time, it's
in Netscape 4.5. Data from submitted forms stays in the
Windows temp directory for the world to see, exposing any personal
data you've filled out on a site. "
It's still a lot more secure than IE. At least you can't format my hard drive from Netscaape ;)
So how's Windows going to fix this? Isn't this /tmp bug publicized around half a year ago?
the
Also, just out of curiosity, what about the other
OSes (I'm thinking primarily Macintosh here)?
ed
This article says nothing about other OS'es, so I assume this only affects windows?
Hmmm, I'm assuming this is Windows 9x, as NT has no WINDDOWS directory (and no TEMP directory under WINNT)?
If this is the case, are people really under the illusion that they have any kind of security under this OS, anyway?
--
Jason Eric Pierce
Does this happen w/Linux? Does N4.5 store a file in /tmp or anything?
That's not exactly a major bug. A bug, yes. And one that needs to be fixed. But major?
Major would be if someone could easily read those files remotely.
I'm running WinNT at work, and these files are there under c:\temp.
Netscape 4.5 HAS a cache? Wow. Must be broken on my copy, then... along with CSS support with disabled javascript, and so on. I hope version 5 will be better.
I had a quick look into my (4.5) cache directory
and everything was as expected: User r/w only.
This is Linux/2 speaking. Hallelujah.
[root@falconl /root] n*
/tmp.
nsform36B6235706A0457
So, yes, it works in Linux. If you can get access to
Excuse me, but if someone has access to your physical Windows machine, they can compomise your privacy in much larger ways, not the least of which would be your browser's history and cache files to find out all the porno sites you've visited. Then, there are all sorts of temp files laying around that could be incriminating. Let's not forget about recovered lost chains from the FAT filesystem as well as undeleting files. And don't forget about the potential to install Back Orifice.
The filenames are "nsform*" and I have seen this bug on Linux and Windows with Netscape versions 2, 3, and 4. If you do large http file uploads it will fill your disk.
slashdot@chaka.net
The date of the message was Nov 1998 and the Subject was 'Form insecurity in Netscape'. The cause of this is the way that Netscape handles forms. According the message, in order for this to occur, two conditions must be met.
1) The form submitted must be MIME-Encoded (ie, enctype="mulitpart/form-data")
2) TEMP environ var must be set.
Just a note that the web based lotus notes email uses this type of encoding, which means that every email you send is open for anyone using your machine to read.
Incase anyone cares www.seumas.com is
on cyberpatrols cybernot list.
Does not sound like a big deal to me. If you share your computer or make your drive public this is not the only thing people can see. If I make my C: drive shared then people can read my netscape mail. Is this a bug in Netscape or Windows or is it simply a foolish thing to do?
My Communicator routinely scribbles out nsform* in /tmp. The permissions are 600 for me.
So, aside from the user himself, nobody else can touch it. This is really a Windows issue.
READ THE ARTICLE!!! The bug is in Netscape 4.5...
NT 4/NS 4.5, both tmp and temp set in environment to C:\TEMP The aforementioned files are created AND deleted, as one might expect. No residual files in \temp after leaving Netscape. Certainly wouldn't call this a major bug.
A windows temp directory (or folder, shortcut :)
Most of you downplaying the seriousness of the bug have been working upon the assumption that your windows temp directory is accessable only to you. While this is true in most cases (home users, people with their own machine in the office), it is not true in all cases.
For example, I work at a high school, where we have many windows machines around the campus that can be used by any student or staff member. Many users here use hotmail, as we do not have a mail server set up locally for staff/student use. Suppose a user writes a private email message to someone through hotmail - when they send their message, the data will be posted to www.hotmail.com. If the file with this message is left in the c:\windows\temp directory, another user can come along later, look in here, and read the message the user sent, which probably also contains their hotmail username, and (possibly) their password. I haven't yet tested this out specifically with hotmail, but it is an example to illustrate the implications the bug can have for "public" terminals.
this bug combined with the javascript/java exploit which allows anyone to read your local files means that you better think twice before you fill out another form.
Hitting "back" on the browser won't ususally show you the password since it is ****'d out.
It would be much nicer for a "cracker" to get the tempfile, write down the password and then use it from home.
If you are stupid enough to post form data with any kind of secure information at all from a public terminal, you deserve anything that happens to you.
Mozilla wont have this problem....well since mozilla doesnt even have any security at all....
kinda sucks huh?
You don't even need a boot floppy most of the time:
;)
LILO: linux single
will do it most of the time..
Yes, and if you're surfing from a public terminal, I could also walk up after you and read your history file, the cache, etc.
So in otherwords, if you're stupid enough do be doing things on a public terminal that you're worried about people seeing, clean up after yourself.
It creates a directory called
/tmp/nscomm40-.
(Yes, even 4.5 calls it "nscomm40...")
The directory and files are owned by the user and the permissions are set to:
-rw-------
The files are deleted upon exiting Netscape.
Seems secure enough to me!
1) Those of us who know, rarely surf the web in Windows anyway.
The equvilent file in Linux is owned by the person filling out the web form and has the permission -rw-------. It deletes itself after the form is submitted.
2) Now that we know about it, it's a misfeature, no longer a bug. Just manually delete the file (if you are unfortunate enough to be using Windows.)
Obviously. I can break into your house and steal your hard drive and pop it into my computer as root and mount it, and voila I can read all your files in all your users home directories and everything. That doesnt exactly count. Im assuming the only way to stop that would be to encrypt everything and store the key in your head.
I just tried sending a few mails using hotmail an no "file" appeared in my temp directory. In fact, the only one that was in there, was a form that was submitted via email.
SO what? To me, this is not a Netscape bug, but a windows bug. Netscaope just places a file where it is most appropriate, the temp dir. It should be the os's task to empty that dir regularly, and it is the os's task to make sure the temp directory is not world-readable.
So not really a Netscape bug.
That is what you get if you think the web is a safe place to buy shit online....
May I suggest you try Artificial Turd Industries? I'm not sure about that safety thing, though :-)
I don't know JavaScript (and I assume this wont be possible), but...
Could a page be made such that accessing it will automagically clean out the history files and cache? Also, it could accept a forwarding argument, making it easy to be the home page for libraries, etc.
Just curious.
I can't remember the error but it prevents you from submitting any more forms.
Ignorant person, this is being
blocked by a corporate firewall
how to fix this? Let's see how bout a line or two in autoexec.bat:
/y
set tmp= c:\temp
set temp= c:\temp
deltree c:\temp
md c:\temp
Not accusing anyone of being pro-anything, but let's please *NOT* mix physical security and OS security... two different ball games. Linux/UNIX in general seems to have more options than any windows varient to me, thus more ways you can do things like "linux init=/bin/sh", which is a nice recovery tool, imho, btw... :) but let's talk about OS security, where there's gonna be a winner, or physical security, where anything but a headless computer in a secure location looses at...
David
This sig left intentionally blank.
Looks to me here like Netscape keeps stuff like that in ~/.netscape/cache, which has 700 permissions. No one's about to pick my personal information out of there, unless they're root... and root would be me. ;)
Just goes to show that, while having a secure OS doesn't necessarily make your apps secure, you certainly can't have secure apps on an insecure OS...
Posted by HolyMackeralAndy:
That is what you get if you think the web is a safe place to buy shit online....
Yes, this problem was reported in BugTraq before... Linux/Unix users will have a nsform* shining in [/tmp, /var/tmp] after submitting a form... /tmp crashes NS/Linux in a great style! Try to reply lots of mails on Netscape WebMail to see this on action. /tmp...
And the REAL problem: lots of this nsform* on
Luckily crontab is my friend, and every 3 minutes he kills all nsform* on
Oh, and I forgot to say: at least these nsform* aren't world-readable and world-writable...
Cesar Cardoso can be found at cesar at zyakannazio dot eti dot br (or at least I believe so)
This was gone over on BugTraq months ago. No news here.
/tmp (or /var/tmp) directory when you've just submitted a form. Read the new file. Decide if it hurts or not.
Linux/Unix users - check out your
I can't remember if this is POST format forms only, or GET too. Either way, it shouldn't leave these thing hanging around.
Oh, and it's not just 4.5 - it's every release ever, as far as I can see.
Passwords are left encoded. But not encrypted...
Ok, on my Linux box Netscape 4.5 seems to create files /tmp/nscomm40-root which is drwxr-xr-x
only readable by me (or root, which is sometimes the same)
It also seems to delete those forms after some time
because I submitted couple of forms (via POST) and
all I now have is
and is an empty dir.
It really seems to be windows bug. Besides, if
old netscape versions (or libc5 ? never checked that)
do create files readable by everyone - couldn't I
just write a shell wrapper for netscape which does umask ?
Obama 2012: our incompetent asshole is slightly less of an incompetent asshole than the other incompetent asshole !
nt4sp4, NS 4.5. Nothing in either my TEMP or my TMP directory.
Of course, I clean these out daily with a scheduled batch file. Too much goop accumulates in there. . . (also, tmp files in \WINNT).
How about using Yahoo mail (browser based) - you can see mail messages as plaintext in the cache directory.
Always clear your cache.
These are my friends, See how they glisten. See this one shine, how he smiles in the light.
V4.5 on NT4 and I just filled out a form.
Nothing. Does anyone have any hints as to how the file name is generated? Perhaps I can search for it.
Good judgement comes from experience, and experience comes from bad judgement.
- W. Wriston, former Citibank CEO
I mean, yeah, sure, it's a security issue, but seriously, a file left in your temp directory? You still would need physical or remote access to the machine somehow to get at it. Are we envisioning people walking around their offices with floppies to steal credit card numbers?
I would personally be more suspicious of the waiter in a restaurant jotting that stuff down while they've wandered off to prepare my bill.
Let's be serious about this, ok?
--
The real Paul Vallee is slashdot userid 2192, and, what do you mean it's not cool to point out your low userid?
I believe, based on empirical tests (though I haven't confirmed this with Netscape), that the bug occurs ONLY if the TMP and TEMP environment variables aren't set when Navigator loads. I have a habit of configuring my Windows directories as similarly as possible to a UNIX system (i.e. I have c:/home; c:/usr/lib; c:/tmp, etc.). My AUTOEXEC.BAT file says:
set TMP=c:\tmp
set TEMP=c:\tmp
path=c:\usr\bin;%path%
.
.
Check out the Microsoft Windows programming references for the semantics of TMP and TEMP.
I've been scanning for the residual forms files periodically, and they've never been installed in my system. Based on empirical tests, I'd guess that the module that creates them has a hard-coded #ifdef statement or something that affects the Windows version when the TMP and TEMP variables aren't initialized. My C:/WINDOWS/TEMP directory only had one residual file, created last November by Internet Explorer (which I only use for testing the display of our own web pages).
I thought you'd like to know about this. Also, advise your Windows friends NEVER to share their whole C: drive root directory ::grin::
Eugene
http://eugeneciurana.com | http://ciurana.eu
Before everyone gets into a knock down dirty flame war about Linux vs Windows and what's more secure, remember the problem is people having access in front of the computer. On windows, you go and look in the temp directory. If you think the permissions mean anything under Linux I may be able to just hit control-alt-delete on your system, catch it at lilo, hit tab to see what your linux boot profile is called (lets say its "linux")
LILO> linux init=/bin/sh
Guess what, your computer just dropped me into a shell without asking for your root password. If you let people in front of your computer, Linux isn't much more secure than Windows. If you don't, at least someone can't telnet into Windows. I'd be more concerned about this being an issue under Linux.
Ludo
none Yet.
Use TweakUI's paranoia tab and have it clear all that type of stuff out when you log out. This should alleviate the problem.
K
In Vino Veritas
Why is this file such a big deal? .tmp files from all kinds of applications in the temp directory, some of which also contained data from the respective applications, including MS Word. /windows directory on a default install. If you add a tmp=blah line in autoexec.bat it is changeable.
I tried this myself. It does not store passwords, only form data. Frankly there were also
BTW, the temp directory is only in the
I tried logging into 2 sites with secure forms. I filled in new applications for access, replied to the information forms, and kept checking in the background to see what was showing in the temp files. It was not much..
In neither case did the password or login I chose show up.
I agree it is very sloppy programming to allow one application to scribble to temp directories and not clean up. However I can not see this as a big "security" problem.
If someone has the kind of access to a machine to grab the contents of tmp then they basically own the machine and can install all kinds of programs, including but not limited to Back Orifice.
Maurice W. Hilarius Voice: (778) 347-9907
In Linux, that means:
a) Set your computer to boot from HDD only.
b) Require a password on BIOS setting changes.
c) Add the "restricted" keyword to lilo.conf and rerun lilo.
Now nobody gets into your computer without logging in with a valid account or cracking your case.
In Windows 9x, that means:
a) Set your BIOS not to boot without a password
Now nobody gets into your computer at all. If you want to let someone use your computer, you've given them root. Hope they like you.
Instead of using windows/temp, Netscape 4.5 use /temp instead. One level higher in the FS ... so more visible !
:wq
Some people tend to forget there is a non-Windows world out there.
But I suppose you're perfectly happy to order over the phone and give your credit card info to some minimum wage loser...
.
Who'da thunk it, all this multi-user stuff is good technology for the home.
And MS was telling us just a few years ago that we didn't even want multitasking...
"If you're not passionate about your operating system, you're married to the wrong one."
This seams like an obvious security hole. I'm assuming this doesn't apply to other OS's?
But I'm curious, was this hole discovered because the source was released?
~afniv
"Man könnte froh sein, wenn die Luft so rein wäre wie das Bier"
"We could be happy if the air was as pure as the beer"
~afniv
"Man könnte froh sein, wenn die Luft so rein wäre wie das Bier"
Richard von Weizs
I tried downloading an October 16 build from a site created by a chap who did Linux Mozilla builds.
When I try starting it, I get
error in loading shared libraries: lib/libnspr21.so: undefined symbol: __divdi3
Any idea how to find the missing symbol?
D
You can read those files remotely. I've already tried demo sites on the net which can not only view your directory structure if you have java/javascript on but can read any file off your hard drive.
Well, I like 4.08 better anyways, (marginally) less bloat, less crash, and good enough for me. I'll just wait for 5.0.1 (The bug fix for the next full release. :) Besides, from the looks of this, it only affects Windows 9x users, which I'm not.
If there are there any enterprising win9x programmers around looking for ideas on what to make next, one of you might want to come up with a cleaner that wipes unused files out of the windows temp directory. It might not be a fix for the netscape problem itself, but it'd cover for probably a lot of programs with similar bugs in them.
Linux/Unix users - check out your /tmp (or /var/tmp) directory when you've just submitted a form. Read the new file. /tmp, and /var/tmp, and /usr/tmp, and found no new files, whatsoever. Actually, except for the X-Windows lock and device files, there's nothing in any of those dir's right now, and according to the modify-times on the directories, they haven't even been used since before I started Netscape, so the files wasn't even created and removed. Netscape on Unix dosen't use /tmp, or /var/tmp, period. It uses a cache directory and an archive directory in the user's own home directory, which is only readable by the user themself. The only way that can be thrown open to the public, and accessiible is if the User (or root) opens it on purpose, and then it's not the program's fault, it's the user. Yep, the form data gets stored, that's why you can reload a form-generated page later and get asked "Repost Form Data?", but it's not kept in a public place unless you're using Windows.
Decide if it hurts or not.
I can't remember if this is POST format forms only, or GET too. Either way, it shouldn't leave these thing hanging around.
Well, I just sent a POST, and a GET form, looked in
With physical access to your machine...
True, but that's where the 'too much of a pain in the ass to be worth it' factor comes in... anyone who feels the need to sneak into my office at night, disable the alarm on the building, boot up with a rescue disk, search out which drive/partition my Linux files are on, and scan the hard drive just to see what I submitted as for a form really needs to consider seeking professional psychiatric help. (Of course, anyone going to the trouble of doing all that even for a Windows machine for the same reason also needs to visit a good psychiatrist.
I just wanted to let those of you who are so stuck up about the superiorities of Linux security to know that this problem exists under Linux, too. Go into the /tmp directory, and you can look at the contents of all the nsform* files that are left there after submitting forms. And BTW, if you are thinking file permissions will solve this problem under Linux and not under Windows, demonstrating superior security in Linux, think again... NT has Unix-like file permissions, too, so this solution could be implemented on both platforms. And I speak as a former NT user, who dumped it in favor of Linux. If you use NT, just right-click on a file in the explorer, and click on the "Security" tab... You will see what I mean. Don't get me wrong: I am a Linux user all the way... I do think there are reasons to say that Linux is greatly superior to NT... I know firsthand what some of these reasons are. All I am saying is, don't start making smart-ass claims about things when you haven't a clue what you are talking about... Make sure you know what you are talking about before you post.
Gee, at the risk of sounding smug, I'll bet that I don't suffer from this problem under Linux. And besides, even if I did, the only person who would be able to find the info would be me or root. And since I'm the only one who logs in as root, I guess that this isn't a problem. Kinda cool!
This wont affect me:)
-Master Switch, one more element in the machine
That's not new at all. This so-called "bug" is known since a couple of years, the Netscape 2 or 3 era, I think. It just doesn't matter if someone happen to read your worthless data. At last, if you are so worried about your privacy then stop crying and clear your damn /tmp directory and your cache and use strong encryption.