Mail Local Directory Info

This page demonstrates a security flaw in JavaScript, which is included in Netscape 2.0. Netscape 2.0 does not allow one to turn off JavaScript (but it is possible to patch Netscape), so you are potentially vulnerable to this whenever you access a document from an untrusted server (ie. most of the time), since it may contain a hidden malicious JavaScript program. Fortunately all such a program could do is obtain some information: your e-mail address, directory listing (but mostly no file contents), and where you access documents from subsequently. It could not cause any damage.

This problem is fixed in Netscape 2.01, though it has been reported that a cleverer piece of JavaScript can still read one's directory. Netscape 2.01 allows one to switch off JavaScript, so if any of these security problems concern you, use Security Preferences... -> General -> Disable JavaScript. Java may be left enabled - I know of no security problems with this inherently more secure system.

With Netscape 2.0, you can try it by typing in a local directory name (eg. /users/adye) in the first field and an e-mail address in the second. Then press Send. The specified user will then be sent an e-mail containing a list of all the files in your directory. Fortunately there is no reported way of returning the file contents (except for certain information about HTML documents).


List directory
Mail results to

This JavaScript program only mails its results to the person you specify and only if you press Send, but a malicious document could send the results to anybody without confirmation. It could also list subdirectories, traversing an entire directory tree. The recepient will of course also receive your e-mail address in the From: field.

This program is based closely on http://www.osf.org/~loverso/javascript/dir.html by John Tennyson, but (since I don't have a CGI server) I modified it to mail the results.

See http://www.osf.org/~loverso/javascript/track-mee.html for details of another Netscape 2.0 security loophole that would allow someone to track your web browsing (supposedly fixed in Netscape 2.01, but again there is a way round this).

The information on this page was obtained from The WWW Security FAQ.


Tim Adye