There is a security bug in Netscape Communicator 4.6 Win95, 4.07 Linux (guess all 4.x versions are affected) in the way they treat JavaScript code in the title of the document.

One may embed JavaScript code in the TITLE tag. If the info about the document
is shown, then the JavaScript code is executed. The info about the document may be infoked by a script using 'location="wysiwyg://1/about:document" '.

The problem is that the JavaScript code is executed in the security context of the "about:" protocol. This allows accessing documents in the "about:" protocol such as: "about:cache", "about:config", "about:global", etc.

Vulnerabilities:
 * Reading user's cache and accessing information such as passwords, credit card numbers.
 * Reading info about the Netscape's configuration ("about:config"). This includes  finding user's email address, mail servers, the encoded mail password   (it must me saved and may be decoded). This allows reading user's email.
The more dangerous part is that this vulnerability MAY BE EXPLOITED USING HTML MAIL MESSAGE.

Workaround: Disable JavaScript

| Home | Internet Explorer | Windows 2000 | AIX | Netscape | Greets | More... |