Subject: Netscape privacy problem reproduced at EIFIST Date: 6/16/97 5:34 PM Netscape privacy problem: Using information gleaned from the web site of the Danish company that first reported the problem, Keith Woodard and Dave Humphrey at EIFIST have built a web page which reproduces the privacy problem in Netscape Navigator and Communicator web browsers. From that effort they have developed a better understanding of how the Netscape bug works, and what defensive measures users can take until a bugfix is available from Netscape. First, the problem is indeed read-only, and involves only files to which the explicit path name is known. Second, all file systems accessible from the Netscape user's system are reachable -- that means mapped network drives as well as the local hard disk. Third, JavaScript can be used by a web site to automate reading a user's file so that it is invisible to the user. However, the bug does not involve use of Java at all. The demo website can be visited at the following URL: http://eifist.frb.org/hacker/fileupload.html Please urge all Internet web users to take the following interim steps until a permanent fix is available from Netscape: * In Navigator 3.x and 2.x, go to the Options menu and select Security Preferences. Select the "Submitting a Form Insecurely" preference to enable that warning dialog box. This will generate a warning box whenever a site tries to upload a form, giving the user a chance to decide whether to allow it. * Also, in Navigator 3.x and 2.x, go to the Options menu and select Network Preferences. Turn OFF the "Enable JavaScript" preference. This will block execution of JavaScript code which might try to perform an invisible file upload, while permitting display of the rest of the page. These measures are temporary until a full bug fix is made available by Netscape and proven against the EIFIST demo page. Regards