GreyMagic Software said both Netscape and Mozilla browsers are at risk for
an attack that would allow local files to be read.
According to a security
posting on its Web site, the Israel-based software company found that a
component for retrieving XML documents from a Web server, known as XMLHTTP,
can be used to read local files by blindly following server-side
redirections.
“By directing the ‘open’ method to a Web page that will redirect to a
local/remote file, it is possible to fool Mozilla into thinking it’s still
in the allowed zone, therefore allowing us to read it,” the warning reads.
“It is then possible to inspect the content by using the responseText
property.”
GreyMagic said it tested Netscape 6.1 and 6.2, for both Windows2000 and NT4.
It also said it tested Mozilla 0.9.7 for NT4 and 0.9.9 for Windows2000 and
NT4.
The warning builds on an
advisory from Dec. 15, 2001, posted by a Dutch ISP, which said
Microsoft’s Internet Explorer browser was vulnerable to same type of XMLHTP
attack. Microsoft issued a patch for the bug in late February.
As of now, Netscape has not issued a patch for the bug. GreyMagic Security
said users “should move to a better performing, less buggy browser.”
The rancorous tone arises from GreyMagic’s feeling that Netscape did not
live up to the promises in its “Bug Bounty Program,”
which offers $1,000 rewards for finding security flaws. GreyMagic claims it
contacted Netscape last week twice, through its online security notification
form, but never heard back.
Netscape officials were unavailable for comment.
GreyMagic asserted it always tries to work with software companies on
security flaws it finds, but said it would now post Netscape warnings
without contacting the company. Recently, GreyMagic posted a batch of warnings about security flaws in Microsoft’s Office Web Components. In
that instance, too, the company issued the warnings before the problem was
patched, saying it could not wait until Microsoft finished investigating the
problem.