Netscape Communicator Javascript-in-Cookies Vulnerability
BID:1120
Info
Netscape Communicator Javascript-in-Cookies Vulnerability
| Bugtraq ID: | 1120 |
| Class: | Access Validation Error |
| CVE: | |
| Remote: | Yes |
| Local: | Yes |
| Published: | Apr 19 2000 12:00AM |
| Updated: | Apr 19 2000 12:00AM |
| Credit: | Discovered by Bennett Haselton <[email protected]> and publicized on April 19, 2000. |
| Vulnerable: |
Netscape Communicator 4.72 Netscape Communicator 4.61 Netscape Communicator 4.51 Netscape Communicator 4.7 Netscape Communicator 4.6 Netscape Communicator 4.5 Netscape Communicator 4.0 Netscape Communicator 4.07 Netscape Communicator 4.06 |
| Not Vulnerable: |
Netscape Communicator 4.73 |
Discussion
Netscape Communicator Javascript-in-Cookies Vulnerability
Netscape Communicator 4.72 and previous will grant remote access to local html files (including the user's bookmark file and files in their cache) if both cookies and javascript are enabled. This is possible due to the fact that javascript can be embedded in a cookie, written to cookies.txt, and then executed, in which case the code is treated as local and allowed to interact with local data. The path to the user's profile directory must be known to that attacker, as it needs to be specified in the javascript code.
Netscape Communicator 4.72 and previous will grant remote access to local html files (including the user's bookmark file and files in their cache) if both cookies and javascript are enabled. This is possible due to the fact that javascript can be embedded in a cookie, written to cookies.txt, and then executed, in which case the code is treated as local and allowed to interact with local data. The path to the user's profile directory must be known to that attacker, as it needs to be specified in the javascript code.
Exploit / POC
Netscape Communicator Javascript-in-Cookies Vulnerability
Bennett Haselton <[email protected]> has set up the following vulnerability demonstration page:
http://www.peacefire.org/security/jscookies/
Bennett Haselton <[email protected]> has set up the following vulnerability demonstration page:
http://www.peacefire.org/security/jscookies/
Solution / Fix
Netscape Communicator Javascript-in-Cookies Vulnerability
Solution:
Netscape has released the 4.73 upgrade which is not susceptible to this issue. 4.73 and later versions can be downloaded from:
http://home.netscape.com/download/
Solution:
Netscape has released the 4.73 upgrade which is not susceptible to this issue. 4.73 and later versions can be downloaded from:
http://home.netscape.com/download/
References
Netscape Communicator Javascript-in-Cookies Vulnerability
References:
References:
- Exploit Enables Reading of Bookmark Links and Some Attributes of HTML Files (Netscape)
- How the JavaScript-in-cookies security exploit works (Bennett Haselton)
- JavaScript-in-cookies security hole demo page (Bennett Haselton)
- Netscape tests patches for security hole (CNet)