Netscape flaw exposes users' hard drives - News - Security

To print: Select File and then Print from your browser's menu

--------------------------------------------------------------
This story was printed from ZDNet Australia.
--------------------------------------------------------------

Netscape flaw exposes users' hard drives

By Matthew Broersma, Special to ZDNet
May 02, 2002
URL: http://www.zdnet.com.au/news/security/soa/Netscape-flaw-exposes-users-hard-drives/0,130061744,120264961,00.htm

A bug in the Mozilla code, which is used in the latest Netscape browser, allows a Web page to list directories and read files from the users' computer.

An Israeli software firm has discovered a flaw in Netscape and Mozilla software that allows code hidden in a Web page to read files from the user's PC. The bug is a more serious variant of one patched in Microsoft's Internet Explorer in February.

GreyMagic Software on Monday reported that the problem affects XMLHttpRequest, which allows Web pages in the browser to send and receive XML data via HTTP, the standard Web transfer protocol. XML is an Internet language for describing just about any sort of data.

According to the report, verified by other developers, XMLHttpRequest doesn't properly check the security settings for some types of data requests in a Web page, allowing them, if properly disguised, to request data from the user's hard drive. The Internet Explorer bug required an attacker to know the name of a file on the user's PC in order to exploit that file, but the Mozilla bug also allows the contents of directories on the local drive to be listed.

GreyMagic created a demonstration of the bug that allows a Web page to display a window for exploring the viewer's own hard drive.

The bug is found in versions of Mozilla from 0.9.7 to 0.9.9 on various operating system platforms, and in Netscape versions 6.1 and higher. The flaw doesn't affect Mozilla 1.0 release candidate 1 because XMLHttpRequest appears to be broken in that release, according to Mozilla developers.

GreyMagic also criticised Netscape's system for reporting bugs, saying a 24 April attempt to report the bug was not acknowledged. Following the firm's public report of the bug, another developer reported the bug to Mozilla's bug-tracking system, whose developers have confirmed the flaw. The flaw has also been distributed on the BugTraq security mailing list.

Netscape, a division of AOL Time Warner, uses Mozilla technology in its commercial browser. Mozilla itself is open source, meaning that its original programming code is freely available for alteration and re-distribution so long as any software that uses it is made available under the same terms. Mozilla software is used in other open-source browsers, such as the Galeon browser for Linux.