www-apache-bugdb mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Tim Dolezal <dole...@mailhost.mrms.navy.mil>
Subject other/850: JavaScript Vulnerability
Date Thu, 10 Jul 1997 15:10:01 GMT

>Number:         850
>Category:       other
>Synopsis:       JavaScript Vulnerability
>Confidential:   no
>Severity:       critical
>Priority:       medium
>Responsible:    apache (Apache HTTP Project)
>State:          open
>Class:          sw-bug
>Submitter-Id:   apache
>Arrival-Date:   Thu Jul 10 08:10:00 1997
>Originator:     dolezal@mailhost.mrms.navy.mil
>Release:        all
I do not know that this is a problem or not.  I have not seen anything on
your web site that talks of this.

>CERT* Advisory CA-97.20
>Original issue date: July 8, 1997
>Last revised: --
>Topic: JavaScript Vulnerability
>The CERT Coordination Center has received reports of a vulnerability in
>JavaScript that enables remote attackers to monitor a user's Web activities.
>The vulnerability affects several Web browsers that support JavaScript.
>The vulnerability can be exploited even if the browser is behind a firewall
>and even when users browse "secure" HTTPS-based documents.
>The CERT/CC team recommends installing a patch from your vendor or upgrading
>to a version that is not vulnerable to this problem (see Section III. A).
>Until you can do so, we recommend disabling JavaScript (see Section III.B).
>We will update this advisory as we receive additional information.
>Please check our advisory files regularly for updates that relate to your
>I.   Description
>     Several web browsers support the ability to download JavaScript programs
>     with an HTML page and execute them within the browser. These programs
>     are typically used to interact with the browser user and transmit
>     information between the browser and the Web server that provided the
>     page.
>     JavaScript programs are executed within the security context of the page
>     with which they were downloaded, and they have restricted access to
>     resources within the browser. Security flaws exist in certain Web
>     browsers that permit JavaScript programs to monitor a user's browser
>     activities beyond the security context of the page with which the
>     program was downloaded. It may not be obvious to the browser user that
>     such a program is running, and it may be difficult or impossible for the
>     browser user to determine if the program is transmitting information
>     back to its web server.
>     The vulnerability can be exploited even if the Web browser is behind a
>     firewall (if JavaScript is permitted through the firewall) and even when
>     users browse "secure" HTTPS-based documents.
>II.  Impact
>     This vulnerability permits remote attackers to monitor a user's browser
>     activity, including:
>        * observing the URLs of visited documents,
>        * observing data filled into HTML forms (including passwords), and
>        * observing the values of cookies.
>III. Solution
>     The best solution is to obtain a patch from your vendor or upgrade to a
>     version that is not vulnerable to this problem. If a patch or upgrade is
>     not available, or you cannot install it right away, we recommend
>     disabling JavaScript until the fix is installed.
>     A. Obtain and install a patch for this problem.
>        We are currently in communication with vendors about this problem.
>        See Appendix A for the current information. We will update the
>        appendix when we receive further information.
>     B. Disable JavaScript.
>        Until you are able to install the appropriate patch, we recommend
>        disabling JavaScript in your browser. Note that JavaScript and Java
>        are two different languages, and this particular problem is only with
>        JavaScript. Enabling or disabling Java rather than JavaScript will
>        have no affect on this problem.
>        The way to disable JavaScript is specific to each browser. The
>        option, if available at all, is typically found as one of the Options
>        or Preferences settings.
>Appendix A - Vendor Information 
>Below is information we have received from vendors.  We will update this
>appendix as we receive additional information. 
>   Microsoft will announce their patches for this problem at
>	http://www.microsoft.com/ie/security/update.htm
>The CERT Coordination Center thanks Vinod Anupam of Bell Labs, Lucent
>Technologies, for identifying and analyzing this problem, and vendors for
>their support in responding to this problem.
>If you believe that your system has been compromised, contact the CERT
>Coordination Center or your representative in the Forum of Incident Response
>and Security Teams (see http://www.first.org/team-info/).
>CERT/CC Contact Information
>- ----------------------------
>Email    cert@cert.org
>Phone    +1 412-268-7090 (24-hour hotline)
>                CERT personnel answer 8:30-5:00 p.m. EST(GMT-5) / EDT(GMT-4)
>                and are on call for emergencies during other hours.
>Fax      +1 412-268-6989
>Postal address
>         CERT Coordination Center
>         Software Engineering Institute
>         Carnegie Mellon University
>         Pittsburgh PA 15213-3890
>         USA


View raw message