JavaScript-in-cookies security hole demo page

bennett@peacefire.org
April 19, 2000

News sightings: C-Net | ZDNet | NTSecurity | MSNBC

This page demonstrates a security hole in Netscape Communicator 4.x which allows a malicious Web site to read HTML files on a user's hard drive (including the user's bookmarks file and browser cache files, which reveal Web-surfing history). The exploit works by setting a cookie whose value contains JavaScript code. Go here for a simple explanation of how the exploit works, or scroll further down for the demonstration.


In order for this exploit to work, you must be using a Communicator user profile named "default". Most of the time, this is a valid assumption, since most users accept the default profile name "default" when they are setting up Communicator. (The exploit will work with profile names other than "default", as long as you can guess the name of the profile. If you were to carry out the exploit on one particular person, and you knew their name and email address, you might guess that their profile name was either their first name, or the username portion of their email address.)

To see the names of Communicator profiles on your computer, go to C:\Program Files\Netscape\Users\ . Every Communicator profile has a corresponding sub-directory in that directory (the vast majority of Communicator installations only have one profile). If you don't see a directory named "default", you must create a user profile called "default" before continuing:

  1. Close down Netscape Communicator.
  2. Go to Start -> Programs -> Netscape Communicator -> Utilities -> User Profile Manager and click "New..."
  3. The profile creation wizard will start -- enter any values you want for the profile settings, except that for the box titled "Choose a Name and Directory for your Profile", enter "default" for the "Profile Name". (The value "default" should already be entered by, um, default.)
  4. Netscape will automatically launch and go to http://home.netscape.com/home/su_setup.html , but you can close out of Netscape at this point.
  5. Re-start Netscape and you will get a dialog box titled "Profile Manager" asking which profile you want to use. Select the profile named "default".


Now that you are running a profile named "default", you must have at least one bookmark set. (The exploit works by reading in the last bookmark in your bookmark.htm file, which determines the list of bookmarks displayed under the Communicator -> Bookmarks menu.) Go to one of your favorite sites and then pick Communicator -> Bookmarks -> Add Bookmark.


Finally, two options have to be set correctly for the exploit to work (these are default settings, so these assumptions will be correct for almost all browsers):

  1. Make sure that cookies are enabled. Go to Edit -> Preferences -> Advanced and under the "Cookies" section, make sure that "Accept all cookies" is selected. If you want to see the cookie being set, check the box labeled "Warn me before accepting a cookie."
  2. Make sure that JavaScript is enabled. Also under Edit -> Preferences -> Advanced, make sure the box labeled "Enable JavaScript" is checked.

Now proceed to the demonstration page.