This problem
is fixed
in Netscape 2.01, though it has
been reported that a
cleverer piece of JavaScript can still read one's directory.
Netscape 2.01 allows one to switch off JavaScript, so if any of these security
problems concern you, use Security Preferences...
->
General
-> Disable JavaScript
. Java may be left
enabled - I know of no security problems with this inherently more
secure system.
With Netscape 2.0, you can try it by typing in a local directory name
(eg. /users/adye
) in the first field and an e-mail address in the
second.
Then press Send
.
The specified user will then be sent an e-mail containing a list of all the
files in your directory. Fortunately there is no reported way of returning the
file contents (except for certain information about HTML documents).
This JavaScript program only mails its results to the person you specify and
only if you press Send
, but a malicious document could send the
results to anybody without confirmation. It could also list
subdirectories, traversing an entire directory tree.
The recepient will of course also receive your e-mail address in
the From:
field.
This program is based closely
on http://www.osf.org/~loverso/javascript/dir.html
by
John Tennyson, but (since I don't have a CGI server) I modified
it to mail the results.
See http://www.osf.org/~loverso/javascript/track-mee.html
for
details of another Netscape 2.0 security loophole that would
allow someone to track your web browsing (supposedly fixed in Netscape 2.01, but
again there is a way
round this).
The information on this page was obtained from The WWW Security FAQ.