RE: tlug: Cache cow security hole

[Jim Schweizer <schweiz@example.com>]

Hi,

On 30-Sep-98 Jonathan Byrne wrote:
> Here's a site everybody should check out, if they haven't already seen it.
> It is possible to suck out all of Netscape's cached information, including
> credit card numbers (yup, it saves those!) without your knowing it. 

Any webmaster still using GET for forms transmission 'gets' what he deserves:

<--
Subject: Re: New JavaScript Privacy Bug Found, Part 2
Newsgroups:
comp.lang.javascript,comp.infosystems.www.browsers.misc,comp.infosystems.www.bro
wsers.ms-windows,comp.infosystems.www.browsers.x,comp.security.misc
Followup-To:
comp.lang.javascript,comp.infosystems.www.browsers.misc,comp.infosystems.www.bro
wsers.ms-windows,comp.infosystems.www.browsers.x,comp.security.misc

The contents of forms you have submitted via the GET method are
available to anyone running an exploit program, since the submitted
data is part of the URL string. 
-->

A simple solution is to disable JavaScript when you don't need it. It's too
bad, I like many of the things JavaScript can do, but I find myself serfing
more and more with it disabled - too many pop-up menus, jerk webmasters who try
to redirect you with onUnload(), etc.

Another useful item is a shell script that removes the ~/.netscape/cache/*
and ~/.netscape/archive/* whenever you run it. (email me if you need one)

Thanks,

Jim S.




---------------------------------------------------------------
Next Meeting: 10 October, 12:30 Tokyo Station Yaesu central gate
Featuring the IMASY Eng. Team on "IPv6 - The Next Generation IP"
Next Nomikai: 20 November, 19:30  Tengu TokyoEkiMae 03-3275-3691
---------------------------------------------------------------
Sponsor: PHT, makers of TurboLinux http://www.pht.co.jp