Linux Today: Linux News On Internet Time.

ZDNet UK: Netscape Flaw Exposes Hard Drives

May 01, 2002, 22:00 (22 Talkback[s])
(Other stories by Matthew Broersma)

"An Israeli software firm has discovered a flaw in Netscape and Mozilla software that allows code hidden in a Web page to read files from the user's PC. The bug is a more serious variant of one patched in Microsoft's Internet Explorer in February.

"GreyMagic Software reported that the problem affects XMLHttpRequest, which allows Web pages in the browser to send and receive XML data via HTTP, the standard Web transfer protocol. XML is an Internet language for describing just about any sort of data.

"According to the report, verified by other developers, XMLHttpRequest doesn't properly check the security settings for some types of data requests in a Web page, allowing them, if properly disguised, to request data from the user's hard drive. The Internet Explorer bug required an attacker to know the name of a file on the user's PC in order to exploit that file, but the Mozilla bug also allows the contents of directories on the local drive to be listed..."

Complete Story

Related Stories: