Mailinglist Archive: opensuse-security (601 mails)

< Previous Next >
Re: [SLE] FYI- Netscape 4.4 -4.7 [Serious Java Security BUG]
  • From: Eduardo Carriles <eduardo.carriles@xxxxxxxxxxx>
  • Date: Wed, 09 Aug 2000 07:01:40 +0200
  • Message-id: <3990E5B4.42F15C13@xxxxxxxxxxx>
Hi (un- named) "sds07",

Thanks a lot for the tip!! =`:)

Hi friends All:
____________________________________________
[++ JAVA related exploit ahead ++]
If you got a Netscape browser running you better disable/close Java till
further notice...
[Or trust sites that you frequent]

(All platforms, thought??)
(does no affect _winie_??)
(does not affect _moz5/nscp6-pre2_??)

[WARN]
Just: Edit/Preferences/Advanced and disable: "Enable Java"
Act ASAP.

You are Warned!!

----
On Tue, 8 Aug 2000 10:06:07 -0400 sds07@xxxxxxxxxxxxxxxxxx wrote:

> No flames, please. Just an FYI!
> Netscape bug...
> http://dailynews.yahoo.com/h/ap/20000807/tc/netscape_bug_2.html

----
No need to, just more (a lot more indeed):

____________________________________________
[INFO/TRACE of search documentation procedure performed]

** From using bottom Search box = "netscape" on
"Slashdot: News for nerds, stuff that matters"
URL: http://www.slashdot.org/

** gives:
"Slashdot: Search netscape"
URL: http://slashdot.org/search.pl?query=netscape

** And then clicking on link:
"Java Security Hole Makes Netscape Into Web Server by Hemos on Saturday
August 05, @10:22PM EDT"
URL: http://slashdot.org/article.pl?sid=00/08/06/0222241&mode=thread

** gives:
"Slashdot | Java Security Hole Makes Netscape Into Web Server"
URL: http://slashdot.org/article.pl?sid=00/08/06/0222241&mode=thread

** which notes:
[Posted by Hemos (1) on Saturday August 05, @10:22PM
from the big-and-bad dept.
Baldrson (2) and other folks as well write: "Dan Brumleve is at it again
with Brown Orifice (3). In this episode, our fearless grey hat (4) opens
a security hole in the Web's foundation that makes Napster (5) look
positively tame by comparison. Be careful with this, kids. It turns your
Netscape Web browser into a Web server that can serve up your entire
file system to any other Web browser."]

[clicks]
(1) "Hemos" URL: http://hemos.net
(2) "Baldrson" URL: mailto:jabowery@xxxxxxxxxx
(3) "Brown Orifice" URL: http://www.brumleve.com/BrownOrifice/
(4) "grey hat" URL:
http://slashdot.org/comments.pl?sid=00/07/27/1343236&cid=310
(5) "Napster" URL: http://www.napster.com/

[clicks expanded]
(3) "Brown Orifice HTTPD Homepage"
URL: http://www.brumleve.com/BrownOrifice/

## ---- On a nutshell ----
** Test Orifice On-Line
URL: (same) http://www.brumleve.com/BrownOrifice/
** Test BOHTTPD Spy ("see a list of links to browsers currently running
BOHTTPD")
URL: http://www.brumleve.com/BrownOrifice/BOHTTPD_spy.cgi
** Download ("get a copy of the Brown Orifice site and source code"):
URL: http://www.brumleve.com/BrownOrifice/BOHTTPD_download.cgi
## ---- ------------- ----

(4) "Articles: Security Through Obscurity A GOOD Thing?"
URL: http://slashdot.org/comments.pl?sid=00/07/27/1343236&cid=310

** which key notes:
"Give Grey Hats the Right Incentives"
[end clicks]

____________________________________________
[COMMENTS]
I have not got time / intentions to test "Brown Orifice", hope some body
will do and post results.

Note the (4) key on:
//Dan Brumleve, the developer of DBarter (a)
(which won the Hackers Conference prize for "best work in progress" last
year (b))
was quite young when he discovered his first Netscape exploit Tracker
(c).
Netscape subsequently gave credit for finding the "Tracker" hole to a
guy from Bell Labs."//,
and consequences...
URL (again):
http://slashdot.org/comments.pl?sid=00/07/27/1343236&cid=310

(a) See [DBarter - Financial Infrastructure for the Internet]
URL: http://www.dbarter.com/

(b) See Dan showing won price on hand (JPG), at his page:
URL: http://www.dbarter.com/images/dan.jpg

(c) See The Tracker Bug / Security Update on Netscape as of AUGUST 4,
1997:
URL: http://home.netscape.com/security/notes/previous/tracker.html

[INMHO]
It is a matter of who tries harder.

[SALT ]
Or a "grain of it", as Lenz wrote on one of his numerous posts, He
helping as ever:

"Yes, I totally agree. Automated updating should be taken with a grain
of Salt :)"

See Lenz's post on "Re: [suse-security] SuSE security reputation, etc.."
at:
URL: http://lists.suse.com/archives/suse-security/2000-Aug/0088.html

[HEAVY SALT]
Fiuuu, it is available (BOHTTPD) to general public, source included,
just waiting for some idiot to borrow it, enhance it, spread gargage on
the Net, maybe learn some Java on the process, and who knows...

Java performing.

A Saga on it's own.

____________________________________________
[GRINS, GRRR's and more]
Although i'm a Netscape® Communicator 4.74 128bits user, as you can see
on:
Headers/All: [X-Mailer: Mozilla 4.74 [en] (Win95; U)]
(procedure if you use Netscape also).

Through which i usually post. (3Com ADSL HomeConnect PCI 3CP3617, lack
to support Linux, problem related!! GRRRR...)

Cannot use my SuSE Linux to post directly to Net through ADSL, again
GRRRR......
[XzFrSk¿?)¿)?$$!$·Arrrrgghhhsh...rumble rumble]

____________________________________________
Too much for one post... (beg your pardon!!) =`8)

The War continues...

No more for now.

--
HTH

Best regards,
Eduardo Carriles

[-- Better a smile than a flame --]
(Long time SuSE-Linux [preferred distro] user).
[-- Se me nota mucho? -- Notices me much?]
[-- Have a lot of fun...]



< Previous Next >
This Thread
  • No further messages