Topic: Reading local files in Netscape 6 and Mozilla.

VERIFIED DUPLICATE of bug 141208

Status

()

defect
--
critical
VERIFIED DUPLICATE of bug 141208
18 years ago
2 months ago

People

(Reporter: dave.kimberley, Assigned: hjtoi-bugzilla)

Tracking

Trunk
x86
Windows NT
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

()

GreyMagic Security Advisory GM#001-NS
By GreyMagic Software, Israel.
30 Apr 2002.

Topic: Reading local files in Netscape 6 and Mozilla.

Discovery date: 30 Mar 2002.
Affected applications:

    * All tested versions of Mozilla (0.9.7+) on Windows, other
versions/platforms are believed to be vulnerable.
    * All tested versions of Netscape (6.1+) on Windows, other
versions/platforms are believed to be vulnerable.

Introduction:

XMLHTTP is a component that is primarily used for retrieving XML documents from
a web server.

On 15 Dec 2001 "Jelmer" published an advisory titled "MSIE6 can read local
files", which demonstrated how Microsoft's XMLHTTP component allows reading of
local files by blindly following server-side redirections (patched by MS02-008).
Discussion:

It appears that Mozilla's version of XMLHTTP, the XMLHttpRequest object, is
vulnerable to the exact same attack.

By directing the "open" method to a web page that will redirect to a
local/remote file it is possible to fool Mozilla into thinking it's still in the
allowed zone, therefore allowing us to read it.

It is then possible to inspect the content by using the responseText property.
Exploit:

This example attempts to read "c:/test.txt", "getFile.asp" internally redirects
to "file://c:/test.txt":

var oXML=new XMLHttpRequest();
oXML.open("GET","getFile.asp",false);
oXML.send(null);
alert(oXML.responseText);
Solution:

Users of Netscape Navigator should move to a better performing, less buggy browser.
Tested on:

Mozilla 0.9.7, NT4.
Mozilla 0.9.9, Win2000.
Mozilla 0.9.9, NT4.
Netscape 6.1, NT4.
Netscape 6.2.1, Win2000.
Netscape 6.2.2, Win2000.
Netscape 6.2.2, NT4.
Demonstration:

Status: Waiting.
Feedback:

Please mail any questions or comments to security@greymagic.com.

Copyright © 2002 GreyMagic Software.
Powered by IDNS.

*** This bug has been marked as a duplicate of 141208 ***
Status: UNCONFIRMED → RESOLVED
Closed: 18 years ago
Resolution: --- → DUPLICATE
Summary: Topic: Reading local files in Netscape 6 and Mozilla. → Topic: Reading local files in Netscape 6 and Mozilla.
v
Status: RESOLVED → VERIFIED
Duplicate of this bug: 1560291
You need to log in before you can comment on or make changes to this bug.