Problem with Netscape Navigator Core Dumps
                ******************************************
 
When Netscape Navigator for unix dumps core, at least the following are readily 
extractable from the core dump:

* the complete contents of the user's bookmarks file

* the URL of every site visited in the session

* the text of every site visited in the session

* the complete contents of the user's unix environment

* plaintext of ANY USERNAME/PASSWORD PAIR USED DURING THE SESSION, and the 
        urls to which they belong

* the contents of ANY FORM SUBMITTED during the session 

This stuff is trivially accessible using the "strings" utility or a binary 
editor. I first noticed this while idly poking at a core left by Netscape when
it crashed during normal use. When I started testing, I caused dumps by sending
SIGILL.

Versions tested (and vulnerable):

3.04 - Solaris, linux
4.04 - Solaris, linux
4.05 - Solaris
4.08 - Solaris, linux 

Versions on which I could NOT reproduce this (which doesn't mean that problem 
isn't there, just that I couldn't make it happen):

4.5 - Solaris

Other info:

* The cores are dumped into Netscape's cwd, which is usually a user's home
        directory.

* When the cores are dumped, they are dumped with permissions set according to 
        the user's umask. So, if permissions on the user's directory and  the
        user's umask are 700 and 077 respectively, the core file will not be
	readable by other, non-root users. That being the case, it's probably
        easier to obtain username/password pairs by ethernet sniffing, however,
        that's no reason for Netscape to ignore the problem, and many users
        (including admins) are not so careful about their permissions...

* Netscape was notified of the existence of this probem approximately two weeks
        ago, and I've had no response of any kind. 


by echo8, 3/4/1999