Skip navigation
Menu
Security

Netscape Communicator Exposes Local Files

 
Netscape Communicator 4.x Exposes Local Files
Reported April 19, 2000 by Bennett Haselton
VERSIONS EFFECTED
  • Netscape Communicator 4.x

DESCRIPTION

Netscape Communicator 4.x allows a Web site to read HTML files on a user"s hard drive, including the user"s bookmarks file and browser cache files. The exploit works by setting a cookie whose value contains JavaScript code.

According to Bennett, in order for an exploit to become possible, the user must be running a profile called "default," or the attacker must know the name of the profile in use. In addition, the remote user must have JavaScript and cookies turned enabled.

DEMONSTRATION

As summarized from Bennett"s detailed explanation:

The value of a cookie can be set to contain JavaScript. For example, the following JavaScript code will place a line of text inside the C:\Program Files\Netscape\Users\default\cookies.txt file:

document.cookie = "jscookie=\<script\>alert("hello world")\</script\>;expires=Fri, 31 Dec 2000 23:00:00 GMT;domain=.peacefire.org;path=/"

The contents of the cookies.txt file would be: <script>alert("hello world")</script>

In order to get an exploit to work, a page is used to set a cookie value which contains relevant JavaScript code. The Web user is then directed to a framed  page where one of the frames points to the user"s local cookie file, which is probably C:\Program Files\Netscape\Users\default\cookies.txt. Another frame on the page would point to a file to be extracted from the remote Web user"s system--for example: C:\Program Files\Netscape\Users\default\bookmark.htm

By calling the cookies.txt file in a frame with the following syntax, the embedded JavaScript can be forced to execute (notice the suffix, without it the script would not execute):

C:\Program Files\Netscape\Users\default\cookies.txt?/.html

Because the cookies.txt file and the bookmark.htm file are in the same security zone on the remote user"s local machine, the JavaScript code inside cookies.txt can access the  bookmark.htm file, whose contents could be transmitted by to the Web server by inserting as a string data in a URL request command.

VENDOR RESPONSE

Netscape said it would fix the problem in a minor point release in the near future. In the mean time, users should disable all types of scripting (ActiveX, Java, JavaScript, etc) as well as cookies for all untrusted sites.

CREDITS
Discovered and reported by Bennett Haselton
Hide comments

More information about text formats

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish
Recommended Reading
DevSecOps concept
90% of Java Services in Production Have Vulnerability Risk, DevSecOps Report Finds
Apr 20, 2024
Businesswoman challenges concept and gender obstacles
Women in Cybersecurity Face Barriers to Hiring, Advancement
Apr 15, 2024
person typing on keyboard with icons for certificates
Top IT Certifications for a Career in Finance
Apr 12, 2024
employee working on a laptop with AI
Why AI Coding Assistants May Be Greatest Cybersecurity Threat Facing Your Business
Mar 26, 2024