GreyMagic Security Advisory GM#001-NS By GreyMagic Software, Israel. 30 Apr 2002. Topic: Reading local files in Netscape 6 and Mozilla. Discovery date: 30 Mar 2002. Affected applications: * All tested versions of Mozilla (0.9.7+) on Windows, other versions/platforms are believed to be vulnerable. * All tested versions of Netscape (6.1+) on Windows, other versions/platforms are believed to be vulnerable. Introduction: XMLHTTP is a component that is primarily used for retrieving XML documents from a web server. On 15 Dec 2001 "Jelmer" published an advisory titled "MSIE6 can read local files", which demonstrated how Microsoft's XMLHTTP component allows reading of local files by blindly following server-side redirections (patched by MS02-008). Discussion: It appears that Mozilla's version of XMLHTTP, the XMLHttpRequest object, is vulnerable to the exact same attack. By directing the "open" method to a web page that will redirect to a local/remote file it is possible to fool Mozilla into thinking it's still in the allowed zone, therefore allowing us to read it. It is then possible to inspect the content by using the responseText property. Exploit: This example attempts to read "c:/test.txt", "getFile.asp" internally redirects to "file://c:/test.txt": var oXML=new XMLHttpRequest(); oXML.open("GET","getFile.asp",false); oXML.send(null); alert(oXML.responseText); Solution: Users of Netscape Navigator should move to a better performing, less buggy browser. Tested on: Mozilla 0.9.7, NT4. Mozilla 0.9.9, Win2000. Mozilla 0.9.9, NT4. Netscape 6.1, NT4. Netscape 6.2.1, Win2000. Netscape 6.2.2, Win2000. Netscape 6.2.2, NT4. Demonstration: Status: Waiting. Feedback: Please mail any questions or comments to firstname.lastname@example.org. Copyright © 2002 GreyMagic Software. Powered by IDNS.
*** This bug has been marked as a duplicate of 141208 ***
Status: UNCONFIRMED → RESOLVED
Closed: 18 years ago
Resolution: --- → DUPLICATE
Summary: Topic: Reading local files in Netscape 6 and Mozilla. → Topic: Reading local files in Netscape 6 and Mozilla.
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.