Bugtraq: UPDATE (1-May-2002): Reading local files in Netscape 6 and Mozilla (GM#001-NS)

["GreyMagic Software" <security () greymagic com>]

Hello,

A bit after we released the advisory we received two emails, which notified
us that through testing in our demonstration, they found out that this bug
can also be used to list files in folders.

That alone, makes this bug far more volatile than the one patched by
MS02-008. It is possible to recursively build a tree of the victim's file
system, along with size, date and the content of files.

This vulnerability opens the entire file system up for reading (as long as
the browser user has access).

We added a "Mozilla Disk Explorer" demonstration to our advisory, which lets
you browse through your local disk, entering folders and reading files with
a simple click. Everything you see in this demonstration could be easily
transferred to an attacking server, logging your file system structure and
contents (without need for user interaction, of course).

You can view it at http://sec.greymagic.com/adv/gm001-ns/mozexplorer.html

Thanks to "loon" and Gerd Zemella for letting us know.

On a different note, this issue has been fixed by the Mozilla crew, thanks
for the quick patch.

        - GMS