Internet.com

ISP-Planet

 


Sections

 • Best of the Lists
 • Business
 • CLEC-Planet
 • Equipment
 • Executive
   Perspectives
 • Fixed Wireless
 • Investor
 • Marketing
 • Market Research
 • News
 • Notable Quotes
 • Politics
 • Profiles
 • Resources
 • Technology
 • Value-Added
   Services
 • Webhosting
Also ...
 • About Us
 • Authors
 • Letters
  • Site Map
 • Technology Jobs


 
ISP Glossary
Find an ISP Term
 
Search ISP-Planet


Search internet.com
 
internet.com

Internet News
Small Business

Advertise
Newsletters
Tech Jobs
E-mail Offers

internet.commerce
Be a Commerce Partner

ISP News

Flaws Uncovered in Netscape, Mozilla

GreyMagic Software said both Netscape and Mozilla browsers are at risk for an attack that would allow local files to be read.

by Brian Morrissey
of internetnews.com
[May 1, 2002]
Email a Colleague

According to a security posting on its website, Israel-based GreyMagic Software company found that a component for retrieving XML documents from a Web server, known as XMLHTTP, can be used to read local files by blindly following server-side redirections.

"By directing the 'open' method to a Web page that will redirect to a local/remote file, it is possible to fool Mozilla into thinking it's still in the allowed zone, therefore allowing us to read it," the warning reads. "It is then possible to inspect the content by using the responseText property."

GreyMagic said it tested Netscape 6.1 and 6.2, for both Windows2000 and NT4. It also said it tested Mozilla 0.9.7 for NT4 and 0.9.9 for Windows2000 and NT4.

The warning builds on an advisory from Dec. 15, 2001, posted by a Dutch ISP, which said Microsoft's Internet Explorer browser was vulnerable to same type of XMLHTP attack. Microsoft issued a patch for the bug in late February.

As of now, Netscape has not issued a patch for the bug. GreyMagic Security said users "should move to a better performing, less buggy browser."

The rancorous tone arises from GreyMagic's feeling that Netscape did not live up to the promises in its "Bug Bounty Program," which offers $1,000 rewards for finding security flaws. GreyMagic claims it contacted Netscape last week twice, through its online security notification form, but never heard back.

Netscape officials were unavailable for comment.

GreyMagic asserted it always tries to work with software companies on security flaws it finds, but said it would now post Netscape warnings without contacting the company. Recently, GreyMagic posted a batch of warnings about security flaws in Microsoft's Office Web Components. In that instance, too, the company issued the warnings before the problem was patched, saying it could not wait until Microsoft finished investigating the problem.

— End

Related articles:
  [April 22, 2002] Microsoft Patches Vulnerable SQL Servers
  [March 7, 2002] Beware of Microsoft Security Updates
  [March 6, 2002] CERT Warns of Two RADIUS Flaws

 

Feedback

Advertising inquiry? Click here!

ISP-Planet's RSS feed

 

#