Netscape Communicator 4.x Exposes Local Files
Reported April 19, 2000 by
Bennett Haselton
VERSIONS EFFECTED
  • Netscape Communicator 4.x

DESCRIPTION

Netscape Communicator 4.x allows a Web site to read HTML files on a user"s hard drive, including the user"s bookmarks file and browser cache files. The exploit works by setting a cookie whose value contains JavaScript code.

According to Bennett, in order for an exploit to become possible, the user must be running a profile called "default," or the attacker must know the name of the profile in use. In addition, the remote user must have JavaScript and cookies turned enabled.

DEMONSTRATION

As summarized from Bennett"s detailed explanation:

The value of a cookie can be set to contain JavaScript. For example, the following JavaScript code will place a line of text inside the C:\Program Files\Netscape\Users\default\cookies.txt file:

document.cookie = "jscookie=\<script\>alert("hello world")\</script\>;expires=Fri, 31 Dec 2000 23:00:00 GMT;domain=.peacefire.org;path=/"

The contents of the cookies.txt file would be: <script>alert("hello world")</script>

In order to get an exploit to work, a page is used to set a cookie value which contains relevant JavaScript code. The Web user is then directed to a framed  page where one of the frames points to the user"s local cookie file, which is probably C:\Program Files\Netscape\Users\default\cookies.txt. Another frame on the page would point to a file to be extracted from the remote Web user"s system--for example: C:\Program Files\Netscape\Users\default\bookmark.htm

By calling the cookies.txt file in a frame with the following syntax, the embedded JavaScript can be forced to execute (notice the suffix, without it the script would not execute):

C:\Program Files\Netscape\Users\default\cookies.txt?/.html

Because the cookies.txt file and the bookmark.htm file are in the same security zone on the remote user"s local machine, the JavaScript code inside cookies.txt can access the  bookmark.htm file, whose contents could be transmitted by to the Web server by inserting as a string data in a URL request command.

VENDOR RESPONSE

Netscape said it would fix the problem in a minor point release in the near future. In the mean time, users should disable all types of scripting (ActiveX, Java, JavaScript, etc) as well as cookies for all untrusted sites.

CREDITS
Discovered and reported by
Bennett Haselton