Major new security bug in Netscape

SCF writes "This article illustrates yet another browser security bug. This time, it's in Netscape 4.5. Data from submitted forms stays in the Windows temp directory for the world to see, exposing any personal data you've filled out on a site. "

Linux vs Winblows

[Elvii]

Not accusing anyone of being pro-anything, but let's please *NOT* mix physical security and OS security... two different ball games. Linux/UNIX in general seems to have more options than any windows varient to me, thus more ways you can do things like "linux init=/bin/sh", which is a nice recovery tool, imho, btw... :) but let's talk about OS security, where there's gonna be a winner, or physical security, where anything but a headless computer in a secure location looses at...

David

Not my Netscape...

[John Campbell]

Looks to me here like Netscape keeps stuff like that in ~/.netscape/cache, which has 700 permissions. No one's about to pick my personal information out of there, unless they're root... and root would be me. ;)

Just goes to show that, while having a secure OS doesn't necessarily make your apps secure, you certainly can't have secure apps on an insecure OS...

That's what you get.....

[gavinhall]

Posted by HolyMackeralAndy:

That is what you get if you think the web is a safe place to buy shit online....

/tmp problem in Linux

[cesarcardoso]

Yes, this problem was reported in BugTraq before... Linux/Unix users will have a nsform* shining in [/tmp, /var/tmp] after submitting a form...
And the REAL problem: lots of this nsform* on /tmp crashes NS/Linux in a great style! Try to reply lots of mails on Netscape WebMail to see this on action.
Luckily crontab is my friend, and every 3 minutes he kills all nsform* on /tmp...

Oh, and I forgot to say: at least these nsform* aren't world-readable and world-writable...

Yes, it effects all OSes.

[Moredhel]

This was gone over on BugTraq months ago. No news here.

Linux/Unix users - check out your /tmp (or /var/tmp) directory when you've just submitted a form. Read the new file. Decide if it hurts or not.

I can't remember if this is POST format forms only, or GET too. Either way, it shouldn't leave these thing hanging around.

Oh, and it's not just 4.5 - it's every release ever, as far as I can see.

Passwords are left encoded. But not encrypted...

Netscape 4.5 on Linux (glibc-2)

[antv]

Ok, on my Linux box Netscape 4.5 seems to create files
only readable by me (or root, which is sometimes the same)
It also seems to delete those forms after some time
because I submitted couple of forms (via POST) and
all I now have is /tmp/nscomm40-root which is drwxr-xr-x
and is an empty dir.
It really seems to be windows bug. Besides, if
old netscape versions (or libc5 ? never checked that)
do create files readable by everyone - couldn't I
just write a shell wrapper for netscape which does umask ?

windows = no security

[jafac]

nt4sp4, NS 4.5. Nothing in either my TEMP or my TMP directory.
Of course, I clean these out daily with a scheduled batch file. Too much goop accumulates in there. . . (also, tmp files in \WINNT).

How about using Yahoo mail (browser based) - you can see mail messages as plaintext in the cache directory.

Always clear your cache.

I don't see it

[marcus]

V4.5 on NT4 and I just filled out a form.
Nothing. Does anyone have any hints as to how the file name is generated? Perhaps I can search for it.

Doesn't "Major" overstate this?

[vallee]

I mean, yeah, sure, it's a security issue, but seriously, a file left in your temp directory? You still would need physical or remote access to the machine somehow to get at it. Are we envisioning people walking around their offices with floppies to steal credit card numbers?
I would personally be more suspicious of the waiter in a restaurant jotting that stuff down while they've wandered off to prepare my bill.
Let's be serious about this, ok?
--

I have a solution to this bug

[ciurana]

IMHO, I think this bug is overblown. I have been running Netscape Navigator since it became publicly available, submitting forms left and right, and have never experienced this bug.

I believe, based on empirical tests (though I haven't confirmed this with Netscape), that the bug occurs ONLY if the TMP and TEMP environment variables aren't set when Navigator loads. I have a habit of configuring my Windows directories as similarly as possible to a UNIX system (i.e. I have c:/home; c:/usr/lib; c:/tmp, etc.). My AUTOEXEC.BAT file says:

set TMP=c:\tmp
set TEMP=c:\tmp
path=c:\usr\bin;%path%
.
.

Check out the Microsoft Windows programming references for the semantics of TMP and TEMP.

I've been scanning for the residual forms files periodically, and they've never been installed in my system. Based on empirical tests, I'd guess that the module that creates them has a hard-coded #ifdef statement or something that affects the Windows version when the TMP and TEMP variables aren't initialized. My C:/WINDOWS/TEMP directory only had one residual file, created last November by Internet Explorer (which I only use for testing the display of our own web pages).

I thought you'd like to know about this. Also, advise your Windows friends NEVER to share their whole C: drive root directory ::grin::

Eugene

Linux vs Winblows

[tgd]

Before everyone gets into a knock down dirty flame war about Linux vs Windows and what's more secure, remember the problem is people having access in front of the computer. On windows, you go and look in the temp directory. If you think the permissions mean anything under Linux I may be able to just hit control-alt-delete on your system, catch it at lilo, hit tab to see what your linux boot profile is called (lets say its "linux")

LILO> linux init=/bin/sh

Guess what, your computer just dropped me into a shell without asking for your root password. If you let people in front of your computer, Linux isn't much more secure than Windows. If you don't, at least someone can't telnet into Windows. I'd be more concerned about this being an issue under Linux.

Solutions

[Tsk]

Here are some simple solutions tahts comes immediatly to mind :

1. Use lynx -- ok you don't get frames and buzz stuff but it's fast ...
   
2. Give a hand to the mozilla project and use mozilla's beta
   

Ludo

Just use TweakUI

[Kevbo]

Use TweakUI's paranoia tab and have it clear all that type of stuff out when you log out. This should alleviate the problem.
K

Netscape 4.5 "security bug"

[mauriceh]

Why is this file such a big deal?
I tried this myself. It does not store passwords, only form data. Frankly there were also .tmp files from all kinds of applications in the temp directory, some of which also contained data from the respective applications, including MS Word.
BTW, the temp directory is only in the /windows directory on a default install. If you add a tmp=blah line in autoexec.bat it is changeable.

I tried logging into 2 sites with secure forms. I filled in new applications for access, replied to the information forms, and kept checking in the background to see what was showing in the temp files. It was not much..
In neither case did the password or login I chose show up.

I agree it is very sloppy programming to allow one application to scribble to temp directories and not clean up. However I can not see this as a big "security" problem.

If someone has the kind of access to a machine to grab the contents of tmp then they basically own the machine and can install all kinds of programs, including but not limited to Back Orifice.

Secure your system

[roystgnr]

In Linux, that means:

a) Set your computer to boot from HDD only.
b) Require a password on BIOS setting changes.
c) Add the "restricted" keyword to lilo.conf and rerun lilo.
Now nobody gets into your computer without logging in with a valid account or cracking your case.

In Windows 9x, that means:

a) Set your BIOS not to boot without a password
Now nobody gets into your computer at all. If you want to let someone use your computer, you've given them root. Hope they like you.

NT affected too -- more so !

[Etyenne]

Instead of using windows/temp, Netscape 4.5 use /temp instead. One level higher in the FS ... so more visible !

Yes, it effects all OSes.

[Seumas]

Some people tend to forget there is a non-Windows world out there.

That's what you get.....

[GypC]

But I suppose you're perfectly happy to order over the phone and give your credit card info to some minimum wage loser...
.

File permissions are a good idea!

[Coop]

Who'da thunk it, all this multi-user stuff is good technology for the home.

And MS was telling us just a few years ago that we didn't even want multitasking...

Obvious hole...

[afniv]

This seams like an obvious security hole. I'm assuming this doesn't apply to other OS's?

But I'm curious, was this hole discovered because the source was released?

~afniv
"Man könnte froh sein, wenn die Luft so rein wäre wie das Bier"
"We could be happy if the air was as pure as the beer"

Mozilla/Gecko

[daviddennis]

I tried downloading an October 16 build from a site created by a chap who did Linux Mozilla builds.

When I try starting it, I get

error in loading shared libraries: lib/libnspr21.so: undefined symbol: __divdi3

Any idea how to find the missing symbol?

D

Yes, major!

[dxkelly]

You can read those files remotely. I've already tried demo sites on the net which can not only view your directory structure if you have java/javascript on but can read any file off your hard drive.

Gonna miss that one anyhow.

[HappyHead]

Well, I like 4.08 better anyways, (marginally) less bloat, less crash, and good enough for me. I'll just wait for 5.0.1 (The bug fix for the next full release. :) Besides, from the looks of this, it only affects Windows 9x users, which I'm not.

If there are there any enterprising win9x programmers around looking for ideas on what to make next, one of you might want to come up with a cleaner that wipes unused files out of the windows temp directory. It might not be a fix for the netscape problem itself, but it'd cover for probably a lot of programs with similar bugs in them.

Not really.

[HappyHead]

Linux/Unix users - check out your /tmp (or /var/tmp) directory when you've just submitted a form. Read the new file.
Decide if it hurts or not.
I can't remember if this is POST format forms only, or GET too. Either way, it shouldn't leave these thing hanging around.
Well, I just sent a POST, and a GET form, looked in /tmp, and /var/tmp, and /usr/tmp, and found no new files, whatsoever. Actually, except for the X-Windows lock and device files, there's nothing in any of those dir's right now, and according to the modify-times on the directories, they haven't even been used since before I started Netscape, so the files wasn't even created and removed. Netscape on Unix dosen't use /tmp, or /var/tmp, period. It uses a cache directory and an archive directory in the user's own home directory, which is only readable by the user themself. The only way that can be thrown open to the public, and accessiible is if the User (or root) opens it on purpose, and then it's not the program's fault, it's the user. Yep, the form data gets stored, that's why you can reload a form-generated page later and get asked "Repost Form Data?", but it's not kept in a public place unless you're using Windows.

It's really a Windows bug.

[HappyHead]

With physical access to your machine...
True, but that's where the 'too much of a pain in the ass to be worth it' factor comes in... anyone who feels the need to sneak into my office at night, disable the alarm on the building, boot up with a rescue disk, search out which drive/partition my Linux files are on, and scan the hard drive just to see what I submitted as for a form really needs to consider seeking professional psychiatric help. (Of course, anyone going to the trouble of doing all that even for a Windows machine for the same reason also needs to visit a good psychiatrist.

It *DOES* affect Linux, too.

[SuperDee]

I just wanted to let those of you who are so stuck up about the superiorities of Linux security to know that this problem exists under Linux, too. Go into the /tmp directory, and you can look at the contents of all the nsform* files that are left there after submitting forms. And BTW, if you are thinking file permissions will solve this problem under Linux and not under Windows, demonstrating superior security in Linux, think again... NT has Unix-like file permissions, too, so this solution could be implemented on both platforms. And I speak as a former NT user, who dumped it in favor of Linux. If you use NT, just right-click on a file in the explorer, and click on the "Security" tab... You will see what I mean. Don't get me wrong: I am a Linux user all the way... I do think there are reasons to say that Linux is greatly superior to NT... I know firsthand what some of these reasons are. All I am saying is, don't start making smart-ass claims about things when you haven't a clue what you are talking about... Make sure you know what you are talking about before you post.

A Better OS?

[HardCase]

Gee, at the risk of sounding smug, I'll bet that I don't suffer from this problem under Linux. And besides, even if I did, the only person who would be able to find the info would be me or root. And since I'm the only one who logs in as root, I guess that this isn't a problem. Kinda cool!

I use Linux:

[Master Switch]

This wont affect me:)

Really, really, really OLD news

[DH Peligro]

That's not new at all. This so-called "bug" is known since a couple of years, the Netscape 2 or 3 era, I think. It just doesn't matter if someone happen to read your worthless data. At last, if you are so worried about your privacy then stop crying and clear your damn /tmp directory and your cache and use strong encryption.