Hello, A bit after we released the advisory we received two emails, which notified us that through testing in our demonstration, they found out that this bug can also be used to list files in folders. That alone, makes this bug far more volatile than the one patched by MS02-008. It is possible to recursively build a tree of the victim's file system, along with size, date and the content of files. This vulnerability opens the entire file system up for reading (as long as the browser user has access). We added a "Mozilla Disk Explorer" demonstration to our advisory, which lets you browse through your local disk, entering folders and reading files with a simple click. Everything you see in this demonstration could be easily transferred to an attacking server, logging your file system structure and contents (without need for user interaction, of course). You can view it at http://sec.greymagic.com/adv/gm001-ns/mozexplorer.html Thanks to "loon" and Gerd Zemella for letting us know. On a different note, this issue has been fixed by the Mozilla crew, thanks for the quick patch. - GMS
This archive was generated by hypermail 2b30 : Sat May 04 2002 - 08:03:26 PDT