Closed Bug 141551 Opened 23 years ago Closed 23 years ago

Reading local files/folders in Mozilla

Categories

(Core :: XML, defect)

Product:
Core
Component:
XML
Platform:
x86
Windows 98
Type:
defect
Priority:
Not set
Severity:
major

Tracking

()

Status:
VERIFIED DUPLICATE of bug 141061

People

(Reporter: prb, Assigned: hjtoi-bugzilla)

References

(
URL
)

Details

Build #20020430. From GreyMagic Software: "On 15 Dec 2001 "Jelmer" published an advisory titled "MSIE6 can read local files", which demonstrated how Microsoft's XMLHTTP component allows reading of local files by blindly following server-side redirections (patched by MS02- 008). It appears that Mozilla's version of XMLHTTP, the XMLHttpRequest object, is vulnerable to the exact same attack. By directing the "open" method to a web page that will redirect to a local/remote file it is possible to fool Mozilla into thinking it's still in the allowed zone, therefore allowing us to read it. It is then possible to inspect the content by using the responseText property. It has been reported that this bug can also list the full contents of folders, which makes it much more severe than the bug that was patched by MS02- 008." I enter this, knowing that the bug has been submitted before, but I could not find it. I had heard rumors that Netscape and Mozilla are trying to quash the reporting of this bug. Reports to Bugzilla get removed with no action taken. I give security advice to about 100 clergy in the Episcopal Diocese of Hawaii. If this report isn't handled normally, I will have no choice but to stop recommending Mozilla as a browser. I find Netscape's refusal to pay GreyMagic software the $1000 bounty utterly reprehensible.
*** This bug has been marked as a duplicate of 141061 ***
Status: UNCONFIRMED → RESOLVED
Closed: 23 years ago
Resolution: --- → DUPLICATE
verified duplicate Please note that this bug has already been fixed in the nightly builds; so RC2 will have this fix too. Also, please don't blame Mozilla or mozilla.org for the things Netscape does or does not
Status: RESOLVED → VERIFIED
All security bugs are marked "mozilla only" in bugzilla. They are opened again after they are fixed. This bug is fixed in 1 day after someone (not the people from GreyMagic) reported the bug in bugzilla. bug reported : 2002-04-29 17:46 fixed : 2002-04-30 16:29 In my opinion (i don't speak for mozilla.org or NS) they should not get money because GreyMagic never opened a bug in bugzilla or send a mail to a mozilla developer and that is not very nice ! BTW: look at http://sec.greymagic.com/adv and you will see the status of many bugs. Many bugs are opened weeks ago but this bug is fixed in 1 day. >I had heard rumors that Netscape and Mozilla yea, that's stupid and wrong (in the mozilla case and mozilla.org is not Netscape) !
I was gratified to see this one marked as a duplicate of 141061. I verify the flaw is fixed in the May 1 nightly build. I appreciate that Mozilla is not Netscape. I appreciate also the explanation for reports disappearing from Bugzilla. In case no-one else did, I sent an e-mail to GreyMagic, notifying them the exploit no longer works as of the May 1 build. I will recommend Mozilla again when RC2 is released.
>In my opinion (i don't speak for mozilla.org or NS) they should not get money >because GreyMagic never opened a bug in bugzilla or send a mail to a mozilla >developer and that is not very nice ! eh, matti... mozilla.org has nothing to do with the $1000, that's a netscape only thing, and I doubt that you have informations from netscape about this issue. (ie. if they were contacted, or when)
You need to log in before you can comment on or make changes to this bug.