"An Israeli software firm has discovered a flaw in Netscape and
Mozilla software that allows code hidden in a Web page to read
files from the user's PC. The bug is a more serious variant of one
patched in Microsoft's Internet Explorer in February.
"GreyMagic Software reported that the problem affects
XMLHttpRequest, which allows Web pages in the browser to send and
receive XML data via HTTP, the standard Web transfer protocol. XML
is an Internet language for describing just about any sort of
"According to the report, verified by other developers,
XMLHttpRequest doesn't properly check the security settings for
some types of data requests in a Web page, allowing them, if
properly disguised, to request data from the user's hard drive. The
Internet Explorer bug required an attacker to know the name of a
file on the user's PC in order to exploit that file, but the
Mozilla bug also allows the contents of directories on the local
drive to be listed..."