Browse by
Reading local files in Netscape 6 and Mozilla
02 May 2002
Bookmark and Share
GreyMagic Security Advisory GM#001-NS
By GreyMagic Software, Israel.
30 Apr 2002.

Available in HTML format at http://security.greymagic.com/adv/gm001-ns/.

Topic: Reading local files in Netscape 6 and Mozilla.

Discovery date: 30 Mar 2002.

Affected applications:

* All tested versions of Mozilla (0.9.7+) on Windows, other versions/platforms are believed to be vulnerable.

* All tested versions of Netscape (6.1+) on Windows, other versions/platforms are believed to be vulnerable.

Important notes:

Netscape was contacted on 24 Apr 2002 through a form on their web site and through email to security@netscape.com and secure@netscape.com.

They did not bother to respond AT ALL, and we think we know why.

A while ago Netscape started a "Bug Bounty" program, which entitles researchers who find a bug that allows an attacker to run unsafe code or access files to a $1000 reward.

By completely disregarding our post Netscape has earned themselves a $1000 and lost any credibility they might have had. The money is irrelevant, but using such a con to attract researchers into disclosing bugs to Netscape is extremely unprofessional.

Netscape's faulty conducts made us rethink our disclosure guidelines and we came to the following decisions:

* Release all future Netscape advisories without notifying Netscape at all.

* Advise the security community to do the same. Netscape is deceiving researchers and should not be rewarded.

* Advise customers to stop using Netscape Navigator through our security advisories and business contacts.

[1] http://home.netscape.com/security/bugbounty.html

Introduction: =============

XMLHTTP is a component that is primarily used for retrieving XML documents from a web server.

On 15 Dec 2001 "Jelmer" published an advisory titled "MSIE6 can read local files", which demonstrated how Microsoft's XMLHTTP component allows reading of local files by blindly following server-side redirections (patched by MS02-008).

[1] http://www.xs4all.nl/~jkuperus/bug.htm
[2] http://www.microsoft.com/technet/security/bulletin/MS02-008.asp


Mozilla's version of XMLHTTP, the XMLHttpRequest object, is vulnerable to the exact same attack.

By directing the "open" method to a web page that will redirect to a local/remote file it is possible to fool Mozilla into thinking it's still in the allowed zone, therefore allowing us to read it.

It is then possible to inspect the content by using the responseText property.


This example attempts to read "c:/test.txt", "getFile.asp" internally redirects to "file://c:/test.txt":

var oXML=new XMLHttpRequest();


Users of Netscape Navigator should move to a better performing, less buggy browser.

Tested on:

Mozilla 0.9.7, NT4.
Mozilla 0.9.9, NT4.
Mozilla 0.9.9, Win2000.
Netscape 6.1, NT4.
Netscape 6.2.1, Win2000.
Netscape 6.2.2, NT4.
Netscape 6.2.2, Win2000.


A fully dynamic proof-of-concept demonstration of this issue is available at http://security.greymagic.com/adv/gm001-ns/.


Please mail any questions or comments to security@greymagic.com.

- Copyright © 2002 GreyMagic Software.


Harnessing artificial intelligence to build an army of virtual analysts

PatternEx, a startup that gathered a team of AI researcher from MIT CSAIL as well as security and distributed systems experts, is poised to shake up things in the user and entity behavior analytics market.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Thu, Feb 4th