Netscape Navigator 3.x and 4.x for Linux and UNIX contains security vulnerability in which sensitive user information is easily obtainable from core dumps.
e2e6a60c543e5e2794580b05b6757d800904326df1b02762d71a126a7d538fb6
Problem with Netscape Navigator Core Dumps
******************************************
When Netscape Navigator for unix dumps core, at least the following are readily
extractable from the core dump:
* the complete contents of the user's bookmarks file
* the URL of every site visited in the session
* the text of every site visited in the session
* the complete contents of the user's unix environment
* plaintext of ANY USERNAME/PASSWORD PAIR USED DURING THE SESSION, and the
urls to which they belong
* the contents of ANY FORM SUBMITTED during the session
This stuff is trivially accessible using the "strings" utility or a binary
editor. I first noticed this while idly poking at a core left by Netscape when
it crashed during normal use. When I started testing, I caused dumps by sending
SIGILL.
Versions tested (and vulnerable):
3.04 - Solaris, linux
4.04 - Solaris, linux
4.05 - Solaris
4.08 - Solaris, linux
Versions on which I could NOT reproduce this (which doesn't mean that problem
isn't there, just that I couldn't make it happen):
4.5 - Solaris
Other info:
* The cores are dumped into Netscape's cwd, which is usually a user's home
directory.
* When the cores are dumped, they are dumped with permissions set according to
the user's umask. So, if permissions on the user's directory and the
user's umask are 700 and 077 respectively, the core file will not be
readable by other, non-root users. That being the case, it's probably
easier to obtain username/password pairs by ethernet sniffing, however,
that's no reason for Netscape to ignore the problem, and many users
(including admins) are not so careful about their permissions...
* Netscape was notified of the existence of this probem approximately two weeks
ago, and I've had no response of any kind.
by echo8, 3/4/1999