Closed Bug 1295023 (CVE-2017-5387) Opened 3 years ago Closed 3 years ago

Ability to determine the existence of a file in the local filesystem

Categories

(Core :: Audio/Video: Playback, defect)

45 Branch
defect
Not set

Tracking

()

RESOLVED FIXED
mozilla51
Tracking Status
firefox51 --- fixed

People

(Reporter: strukt93, Assigned: alwu)

Details

(Keywords: csectype-disclosure, sec-low, Whiteboard: [adv-main51+] local attack)

Attachments

(2 files)

User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Build ID: 20160802213348

Steps to reproduce:

The issue exists because a <track> tag's onerror event is triggered twice if the file referenced in it's src attribute doesn't exist, while it's only triggered once if the file exists but not playable.

Please check the attached file for a PoC. Change the path to the file in the src attribute in the <track> tag for the different behaviors explained.


Actual results:

The onerror event for the <track> tag is fired twice if the file doesn't exist and once if it does.


Expected results:

The onerror event should be fired the same number of times for both cases.
Rillian, can you or someone else who's worked on this code look at this?
Group: firefox-core-security → core-security
Component: Untriaged → Audio/Video
Flags: needinfo?(giles)
Product: Firefox → Core
Alastor, can you take a look at this please?
Assignee: nobody → alwu
Flags: needinfo?(giles)
This works as a local attack only--that is, when the PoC is itself loaded from a file:/// url. From a web page you always get a "doesn't exist" result because there's a security error thrown:

Security Error: Content at https://bug1295023.bmoattachments.org/attachment.cgi?id=8780916 may not load or link to file:///etc/passwd.
Group: core-security
Status: UNCONFIRMED → NEW
Ever confirmed: true
Whiteboard: local attack
Sure, I will check it later.
Component: Audio/Video → Audio/Video: Playback
Comment on attachment 8782394 [details]
Bug 1295023 - ignore to set the same value for the ready state.

https://reviewboard.mozilla.org/r/72578/#review70330
Attachment #8782394 - Flags: review?(giles) → review+
Pushed by alwu@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/305892e22d9c
ignore to set the same value for the ready state. r=rillian
https://hg.mozilla.org/mozilla-central/rev/305892e22d9c
Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla51
Whiteboard: local attack → [adv-main51+] local attack
Alias: CVE-2017-5387
You need to log in before you can comment on or make changes to this bug.