PeaceFire.org: Security hole in Netscape exposes hard drive files

“This page demonstrates a security exploit in Netscape 4.x that
lets a malicious Web site gain access to files on a user’s hard
drive: JavaScript-in-cookies
security hole demo

We think this may be one of the most powerful Netscape
Communicator exploits *ever*
— offhand I can only think of
one Netscape bug ever discovered that was more serious than this
one (discovered in 1997 by a Danish consultant, it also gave a Web
site access to files on a user’s computer). We have already
contacted Netscape to report this problem, and they are working on
a fix.”

“This security hole affects anyone running Netscape Communicator
4.x for Windows with cookies and JavaScript turned on (these are
the default settings in effect for almost all browsers). Netscape
claims an installed client base of over 50 million browsers.”

“The exploit involves setting a cookie on the user’s browser,
such that the *value* of the cookie contains JavaScript code that
can perform priveleged operations. (So this is great for reporters
who like popular buzzwords like “cookie” and “JavaScript”, which
always look sexy in a story about Web browser security holes.)”