JavaScript not ready for prime time

The following report is excerpted from Lincoln Stein's WWW Security FAQ files, found at . JavaScript and Java share a common name and syntax, but they are quite distinct entities. Java is a language designed by Sun Microsystems. JavaScript is a series of extensions to the HTML language understood only by Netscape Navigator versions 2.0 (and higher). It's an interpreted language designed for controlling the Netscape browser; it has the ability to open and close windows, manipulate form elements, adjust browser settings, and download and execute Java applets. JavaScript holes all involve infringements on the user's privacy. The following holes all exist in Netscape 2.01, and were discovered and publicized by John Robert LoVerso of the OSF Research Institute (

1. JavaScripts can trick the user into uploading a file on his local hard disk or network mounted disk to an arbitrary machine on the Internet. Although the user must click a button in order to initiate the transfer, the button can easily masquerade as something innocent. Nor is there any indication that a file transfer has occurred before or after the event. This is a major security risk for systems that rely on a password file to control access, because a stolen password file can often be readily cracked.

2. JavaScripts can obtain directory listings of the user's local hard disk and any network mounted disks. This represents both an invasion of privacy and a security risk, since an understanding of a machine's organization is a great advantage for devising a way to break into it.

3. JavaScripts can monitor all pages the user visits during a session, capture the URLs, and transmit them to a host somewhere on the Internet. This hole requires a user interaction to complete the upload, but as in the first example the interaction can be disguised in an innocuous manner.

A description of these bugs can be found at: Netscape's version 2.01 browser permits the user to disable Javascript.