Comments on: Bogus Firefox XMLHttpRequest Security Bug Report? http://pathfindersoftware.com/2006/07/bogus_firefox_x/ The Fastest Way to Launch Successful Software Thu, 19 Jan 2012 16:36:03 +0000 hourly 1 http://wordpress.org/?v=3.3.1 By: Jering http://pathfindersoftware.com/2006/07/bogus_firefox_x/#comment-5423 Jering Tue, 20 Feb 2007 12:22:19 +0000 http://www.pathf.com/blogs/?p=527#comment-5423 <p>I find the opposite to be a bug. I don't get the contents of a .url file using XMLHttpRequest. Instead FireFox follows the URL in the url file and returns the contents of that file. I need to inspect the contents of the .url file, as it contains valuable information not contained inside the destination file. IE works correctly. This bug needs to be fixed in Firefox. </p> I find the opposite to be a bug. I don’t get the contents of a .url file using XMLHttpRequest. Instead FireFox follows the URL in the url file and returns the contents of that file. I need to inspect the contents of the .url file, as it contains valuable information not contained inside the destination file. IE works correctly. This bug needs to be fixed in Firefox.

]]> By: Vineet Reynolds http://pathfindersoftware.com/2006/07/bogus_firefox_x/#comment-5422 Vineet Reynolds Wed, 05 Jul 2006 18:51:02 +0000 http://www.pathf.com/blogs/?p=527#comment-5422 <p>Well that's true. Even I discovered this about a month ago. However, nothing malicious is possible in FF. You can only read files [those allowed by the OS that is] at worst, but you cannot write or append them.<br /> The FileSystem Object under IE is a different story altogether. I came across this while fixing a company web app and made a mental note to avoid FSO altogether.</p> <p>The place where I started off:<a href="http://www.codeproject.com/jscript/brwswhta.asp" rel="nofollow">http://www.codeproject.com/jscript/brwswhta.asp</a></p> Well that’s true. Even I discovered this about a month ago. However, nothing malicious is possible in FF. You can only read files [those allowed by the OS that is] at worst, but you cannot write or append them.
The FileSystem Object under IE is a different story altogether. I came across this while fixing a company web app and made a mental note to avoid FSO altogether.

The place where I started off:http://www.codeproject.com/jscript/brwswhta.asp

]]> By: Jeromy http://pathfindersoftware.com/2006/07/bogus_firefox_x/#comment-5421 Jeromy Wed, 05 Jul 2006 01:13:54 +0000 http://www.pathf.com/blogs/?p=527#comment-5421 <p>"This is not a bug, it simply belongs to the uninformed programmer category."</p> <p>And the uninformed rest-of-the world who runs local html files _every_ day. I really don't understand this mentality that opening a HTML file and granting it access to your entire hard drive without anyone knowing it is OK. I've been opening html files for almost a decade and have never been concerned that it might upload sensitive data. I'm curious that programmers think this a good idea but don't think it's a good idea to make the public aware of the risks. IE breaks scripts on locally ran files btw.</p> “This is not a bug, it simply belongs to the uninformed programmer category.”

And the uninformed rest-of-the world who runs local html files _every_ day. I really don’t understand this mentality that opening a HTML file and granting it access to your entire hard drive without anyone knowing it is OK. I’ve been opening html files for almost a decade and have never been concerned that it might upload sensitive data. I’m curious that programmers think this a good idea but don’t think it’s a good idea to make the public aware of the risks. IE breaks scripts on locally ran files btw.

]]> By: Vineet Reynolds http://pathfindersoftware.com/2006/07/bogus_firefox_x/#comment-5420 Vineet Reynolds Sun, 02 Jul 2006 17:23:06 +0000 http://www.pathf.com/blogs/?p=527#comment-5420 <p>Yea, it's correct behavior. Nothing buggy.<br /> Even IE 6 will do the same thing.</p> <p>This is a security flaw only on the machine where the html file + script has access to the filesystem of the PC.</p> <p>Natively, any OS+browser will disallow any remote script to access the client's filesystem. The only way to access the filesystem via a remote server is to use the File Scripting Objects of IE.<br /> The coder at Zlap, has overcome that by asking the user to download the html file + script down to the user's machine.<br /> When downloaded onto the machine, the file no longer belongs to the internet zone, but instead belongs to the "My Computer" zone [of IE] or it's equivalent in FF. Far more privileges can be obtained in such a zone.<br /> This is not a bug, it simply belongs to the uninformed programmer category.</p> Yea, it’s correct behavior. Nothing buggy.
Even IE 6 will do the same thing.

This is a security flaw only on the machine where the html file + script has access to the filesystem of the PC.

Natively, any OS+browser will disallow any remote script to access the client’s filesystem. The only way to access the filesystem via a remote server is to use the File Scripting Objects of IE.
The coder at Zlap, has overcome that by asking the user to download the html file + script down to the user’s machine.
When downloaded onto the machine, the file no longer belongs to the internet zone, but instead belongs to the “My Computer” zone [of IE] or it’s equivalent in FF. Far more privileges can be obtained in such a zone.
This is not a bug, it simply belongs to the uninformed programmer category.

]]>