[25325] in bugtraq
RE: Reading local files in Netscape 6 and Mozilla (GM#001-NS)
daemon@ATHENA.MIT.EDU (Thor Larholm)
Tue Apr 30 17:04:37 2002
Message-ID: <52D05AEFB0D95C4BAD179A054A54CDEB1BD382@mailsrv1.jubii.dk>
From: Thor Larholm <Thor@jubii.dk>
To: "'GreyMagic Software'" <security@greymagic.com>,
NTBugtraq <NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM>,
Bugtraq <bugtraq@securityfocus.com>
Date: Tue, 30 Apr 2002 20:07:22 +0200
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
> Demonstration:
> ==============
>
> A fully dynamic proof-of-concept demonstration
> of this issue is available at
> http://security.greymagic.com/adv/gm001-ns/.
As some of you may have noticed, the above proof-of-concept does not work in
Mozilla 1.0 Release Candidate 1.
Don't get your hopes high about this though, the issue has not been fixed in
moz1rc1 - the XMLHttpRequest was simply broken in this version of the
browser for unknown reasons, a fact not mentioned in the release notes. When
trying to use it, either nothing happens or the browser crashes. The
proof-of-concept works just fine in Mozilla 0.9.9 (and NS6.1+), and would
work fine in moz1rc1 if the XMLHttpRequest object could be used at all.
The Mozilla XML-Extras project also includes a document.load method that is
used to load XML documents. The same issue applies to this method, and a
proof-of-concept demonstration that also works in moz1rc1 can be found at
http://jscript.dk/2002/4/NS6Tests/documentload.html
Regards
Thor Larholm
Jubii A/S - Internet Programmer
