Closed Bug 1020031 Opened 11 years ago Closed 11 years ago

retrieve cookie from firefox by uploading file

Categories

(Firefox :: Untriaged, defect)

Product:
Firefox
Component:
Untriaged
Version:
29 Branch
Platform:
x86
Windows 7
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: miaouuuux, Unassigned)

Details

Attachments

(7 files)

step6 launch on firefox and cookie.JPG
107.19 KB, image/jpeg
Details
step1 file creation on chrome.JPG
51.77 KB, image/jpeg
Details
step2 clic on file.JPG
11.11 KB, image/jpeg
Details
step3 clic open.JPG
47.71 KB, image/jpeg
Details
step4 clic on firefox.JPG
66.33 KB, image/jpeg
Details
step5 clic open.JPG
69.09 KB, image/jpeg
Details
test edited on chrome
68 bytes, text/plain
Details
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:29.0) Gecko/20100101 Firefox/29.0 (Beta/Release) Build ID: 20140506152807 Steps to reproduce: testcase : windows7 / firefox 29.0.1 (javascript enabled) I just found a way to retrieve the cookie from firefox by uploading a small file on file;///Users/..., created with google chrome in my test. test: windows7 / firefox 29.0.1 (javascript enabled) ... and...google chrome 34.0.1847.137 Create the file using google chrome, there must be other ways to do ...) --- steps: --Step 1: In the url bar google chrome, insert the following: data: application <img%20src="/"=_="title="onerror='javascript:alert(document.cookie)'"> Press enter. --- Step 2: A file is downloaded. --- Step 3: Click on the file --- Step 4 : -> Open with --- Step 5 : -> Firefox Same process doesn't work with mac osx 10.6.8 / firefox 29.0.1, and chrome 35.0.1916.114 . Actual results: once launched obtained in firefox file :/ / / Users / ...... (STEP6)( on attachment) I hope to have been clear in my explanations. PoC on attachement i have others captures (PoC) and a copy of file generated by google chrome , if is necessary.
Attached image step2 clic on file.JPG
Attached image step3 clic open.JPG
Attached image step5 clic open.JPG
Attached file test edited on chrome
I don't know if this is important, but it doesn't work with other browsers (explorer, chrome)
OS: Mac OS X → Windows 7
Summary: (xss) retrieve cookie from firefox by uploading file → retrieve cookie from firefox by uploading file
You could also just edit a local file (using notepad or whatever) to create your test. There are known differences in how the various browsers handle file:/// urls. Since those are generally not accessible from "the web" they were intended for development. Interesting that you're seeing google analytics cookies saved for local files. At some other time in the past you opened a locally-saved file that has google analytics and it set a cookie. You may not have done that in other browsers which is why those browsers don't have local cookies stored. IE would probably do the same if you let it run scripts (which are disabled by default for file: urls).
Group: core-security
Status: UNCONFIRMED → RESOLVED
Closed: 11 years ago
Resolution: --- → INVALID
ok thank you for your respond.
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: