141348 - XMLHttpRequest allows local files to be read

Status: VERIFIED DUPLICATE of bug 141061

(Core :: XML, defect)

Description

[mark]

From Bugzilla Helper:
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.0.0+)
Gecko/20020430
BuildID:    2002043010

The XMLHttpRequest object allows reading of local files by blindly following
server-side redirections.

By directing the "open" method to a web page that will redirect to a
local/remote file it is possible to fool Mozilla into thinking it's still in the
allowed zone, therefore allowing us to read it.

It is then possible to inspect the content by using the responseText
property.

Reproducible: Always
Steps to Reproduce:
1. Go to URL specified above
2. Scroll to Demonstration heading
3. Specify local file name and click "sniff" button

Actual Results:  I was able to pull the contents of various text files from my
local computer, both in the root of c:\ and in my c:\winnt directory.  This is
supposedly the same bug fixed a couple of months ago in IE (see URL for more info).

Expected Results:  Moz should have refused to access a local file.

IMO this is a very serious security bug that should be quickly fixed. I'm
listing severity as Major, because a major feature of the browser should be
security.

Comment 1

[Boris Zbarsky [:bzbarsky]]

Duplicate of "XMLHttpRequest allows reading of local files" (please search for
dups before posting!)

*** This bug has been marked as a duplicate of 141061 ***

Comment 2

[Matthias Versen [:Matti]]

v

Comment 3

[Andreas Franke (gone)]

bzbarsky: re: "please search for dups before posting!"

The original bug was only made public at 15:39, which is roughly 20 minutes
before this one was filed. So it is possible that the reporter *did* search for
dups before filing this one, but just couldn't see it. :-)