Products::Security::Contact

• Security
  • News
  • Vulnerabilities
    • Internet Explorer
    • Opera
    • Other
    • Mozilla Firefox
  • Online Tools
    • Script Decoder
  • Subscribe
• Products
  • Composica Enterprise
• Contact

GreyMagic Security Advisory GM#001-NS

By GreyMagic Software, Israel.
30 Apr 2002.

Topic: Reading local files in Netscape 6 and Mozilla.

Discovery date: 30 Mar 2002.

Affected applications: Introduction:

XMLHTTP is a component that is primarily used for retrieving XML documents from a web server.

On 15 Dec 2001 "Jelmer" published an advisory titled "MSIE6 can read local files", which demonstrated how Microsoft's XMLHTTP component allows reading of local files by blindly following server-side redirections (patched by MS02-008).

Discussion:

It appears that Mozilla's version of XMLHTTP, the XMLHttpRequest object, is vulnerable to the exact same attack.

By directing the "open" method to a web page that will redirect to a local/remote file it is possible to fool Mozilla into thinking it's still in the allowed zone, therefore allowing us to read it.

It is then possible to inspect the content by using the responseText property.

Update (1-May-2002):

It has been reported that this bug can also list the full contents of folders, which makes it much more severe than the bug that was patched by MS02-008.

We added a little "Mozilla Disk Explorer" demonstration, so you can see it in action.

Thanks to "loon" and Gerd Zemella for letting us know.

Exploit:

This example attempts to read "c:/test.txt", "getFile.asp" internally redirects to "file://c:/test.txt":

var oXML=new XMLHttpRequest();
oXML.open("GET","getFile.asp",false);
oXML.send(null);
alert(oXML.responseText);

Solution:

Netscape was informed on 24 Apr 2002 through a security form on their web site and later on through email. In our notification we stated that we would wait 5 days for a reply (not a patch, a simple acknowledgement) from Netscape and after that period, with no reply, go public.

Six days later, when no reply arrived, we went public as we stated we would in our post.

As a result of Netscape's poor way of handling this case we recommend users to consider moving to a different browser, which may have a more responsive security team.

Tested on:

Mozilla 0.9.6, Linux (Debian).
Mozilla 0.9.7, NT4.
Mozilla 0.9.8, Linux (Red Hat 7.1).
Mozilla 0.9.9, Win2000.
Mozilla 0.9.9, NT4.
Mozilla 0.9.9, Linux (Red Hat 7.2).
Mozilla 1.0 RC1, FreeBSD.
Netscape 6.1, NT4.
Netscape 6.2.1, Win2000.
Netscape 6.2.2, Win2000.
Netscape 6.2.2, NT4.
Netscape 6.2.2, Linux (Debian).

Demonstration:

GreyMagic Mozilla Disk Explorer

Status: Waiting.

Disclaimer:

The information in this security advisory and any of its demonstrations is provided "as is" without warranty of any kind.

Vulnerability details are provided strictly for educational and defensive purposes.

GreyMagic Software is not liable for any direct or indirect damages caused as a result of using the information or demonstrations provided in any part of this advisory.

Stay informed:

Subscribe to GreyMagic's early notification email service and be informed of new vulnerabilities and updates as soon as they appear on the site.

Press here to subscribe.

Your privacy is important to us, read our Privacy Statement.

Copyright © 2008 GreyMagic Software