Arbitrary local files disclosure in input[webkitdirectory]
Categories
(Core :: Widget, defect, P2)
Tracking
()
People
(Reporter: qab, Assigned: pbz)
References
()
Details
(Keywords: csectype-disclosure, sec-moderate, stale-bug, Whiteboard: [adv-main85+])
Attachments
(5 files, 1 obsolete file)
User Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36 Steps to reproduce: Note: This was originally part of Bug 1319370 but this turned to be a separate bug deserving of its own report. 1. Open attached PoC 2. Hold down 'enter' 3. If the last used/default folder is 'my documents' (on windows) 4. All the contents of that folder will be accessible without the explicit permission from the user. ( believe it's the case that this works on more folders in non-windows OS Actual results: Once a folder upload prompt appears, IFF a user was holding down the 'enter' key the last used directory/default (if they are within 'My Documents' folder or similar) we are able to trick the user into giving us access to all the files in my documents. Expected results: The folder upload button should be blurred from.
Reporter | ||
Comment 1•7 years ago
|
||
Could you please test on non-windows Os?
Comment hidden (typo) |
Comment 3•7 years ago
|
||
On linux the default directory is 'Desktop'. I agree we should not put the focus on the 'OK' button.
Reporter | ||
Comment 4•7 years ago
|
||
I was thinking about a workaround if this was fixed by simply blurring the button and I think there is still a way to do it. We can theoretically predict where the upload button would appear, with the coordinates at hand we can trick the user into clicking an area on the document repeatedly. After the user is recorded clicking a few times we could insert an input element right where the user is clicking, now since the user is clicking on the coordinates where the upload button will appear, the user could potentially be fooled into pressing the upload file button and disclose all files. So I think the only safe solution here is to completely disable the button and only enable it once a folder has been selected via click or keyboard keys. Alternatively, always default to a un-uploadable pseudo-folder (for a lack of a better word) similar to Windows' "This PC" location. Hope other operating systems have something similar.
Updated•7 years ago
|
Updated•7 years ago
|
Updated•7 years ago
|
Updated•7 years ago
|
Comment 5•7 years ago
|
||
Andrea, please investigate a fix. Thanks.
Updated•7 years ago
|
Comment 6•7 years ago
|
||
It looks like this has been posted publicly in http://leucosite.com/Chrome-Firefox-Edge-Local-File-Disclosure/
Comment hidden (off-topic) |
Updated•7 years ago
|
Comment hidden (off-topic) |
Reporter | ||
Comment 9•7 years ago
|
||
(In reply to Al Billings [:abillings] from comment #8) > Abdulrahman, if it isn't clear. Publicly discussing the details of a > security bug that we haven't fixed yet is bad form, especially if you never > put any disclosure date warnings in communications with us. 90 days, at > least, is the industry standard for people that do put such guidelines on > disclosure into place. Finding out via twitter and blogs that you've > potentially 0dayed users is not cool. I don't think this bug is as severe given Bug 1319370 was fixed, the chances of this affecting any Nightly users is low in my opinion, especially since I disclosed publicly. I definitely should have re-read the bug bounty policy, last I read it it mentioned giving at least 60 days for bugs to be fixed, this was removed. Keep in mind I reported this in Bug 1319370 5 months ago and its been reported here 2 months ago (the 60 I assumed was minimum), so I hope you see I did not have any bad intent just looked like to me I had the right to publicly disclose given everything. Also, I had reported this to Google 8 months and I was eager to write about it. I will be sure to give you guys a heads up if I ever intend on doing something like this again now that I re-read the policy. Apologies for any inconvenience.
Comment hidden (off-topic) |
Comment hidden (off-topic) |
Comment hidden (off-topic) |
Comment 13•7 years ago
|
||
The bug is not in DOM. we should implement something better at a FilePicker widget level.
Comment 14•7 years ago
|
||
This is an assigned P1 bug without activity in two weeks. If you intend to continue working on this bug for the current release/iteration/sprint, remove the 'stale-bug' keyword. Otherwise we'll reset the priority of the bug back to '--' on Monday, August 28th.
Updated•7 years ago
|
Comment 15•7 years ago
|
||
Somebody working on widgets should take it.
Comment 16•7 years ago
|
||
Jim, do you know who might be able to work on this?
Updated•7 years ago
|
Comment 17•7 years ago
|
||
I can reproduce. My default was desktop so nothing happened. I think the idea that the user must hold the enter button (triggering repeat) makes this a bit of an outlier. Will find an owner.
Comment 19•6 years ago
|
||
So unsurprisingly, "some people" are now reporting dupes based on the publicized stuff from qab (also pinned tweet...) as gone over in previous comments. I think we should assume people will try to exploit this if/when convenient to them given it's all public at this point. Jim, can you please find someone to own this?
Reporter | ||
Comment 20•6 years ago
|
||
I am still ashamed for that. My apologies for making things more complicated. FWIW I unpinned the tweet. Also, Chrome went with showing a dialog before files are uploaded (along with removing focus from OK button in some OS).
Updated•6 years ago
|
Comment 21•6 years ago
|
||
This is bad UI that could be improved to reduce the opportunities for social engineering, but it does not meet the severity level for the Bug Bounty program.
Comment 23•4 years ago
|
||
Looks like on Windows you can require interaction with the view in the modal dialog before the OK button is enabled by passing FOS_OKBUTTONNEEDSINTERACTION
(which is listed as one of the relevant options on the doc site, but with no explanation, so I wonder when that got added and on what OSes it's supported...). That seems to wfm on win10.
However, even Edge does not appear to use it; it instead prompts for confirmation before uploading, as does Chrome - with a dialog that then defaults to [Cancel]
(despite the styling of the dialog buttons suggesting that "Upload" is the default, which is... weird.)
Dan, what do you think about doing the same?
Updated•4 years ago
|
Comment 25•4 years ago
|
||
Paul, do you have cycles to look at adding a confirmation dialog using the tab-modal dialog infrastructure to mimic Edge/Chrome? Looks like somewhere like https://searchfox.org/mozilla-central/rev/e1d1f043957191616721b9e8bf811c0aab8a203a/dom/html/HTMLInputElement.cpp#483 would work?
Assignee | ||
Updated•4 years ago
|
Assignee | ||
Comment 26•4 years ago
|
||
Assignee | ||
Comment 27•4 years ago
|
||
This also fixes an issue where MockFilePicker wouldn't set the mode correctly,
which caused it to always use "modeOpen". For this test we need to pass
"modeGetFolder" in order for the prompt to show.
Depends on D95324
Comment 28•4 years ago
|
||
Pushed by pzuhlcke@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/5c29fd30af97 Ask user for confirmation before folder upload. r=Gijs,geckoview-reviewers,agi,baku https://hg.mozilla.org/integration/autoland/rev/5bddcb99f650 Added test for folder upload confirmation prompt. r=Gijs
Comment 29•4 years ago
|
||
Backed out for perma failures.
Log: https://treeherder.mozilla.org/logviewer?job_id=321917169&repo=autoland&lineNumber=5103
Backout: https://hg.mozilla.org/integration/autoland/rev/72c8c0774cee0aac6084838f837186f904f7bb52
Assignee | ||
Comment 30•4 years ago
|
||
Depends on D96526
Comment 31•4 years ago
|
||
Pushed by pzuhlcke@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/fa598dea0903 Ask user for confirmation before folder upload. r=Gijs,geckoview-reviewers,baku https://hg.mozilla.org/integration/autoland/rev/9515d8916527 Added test for folder upload confirmation prompt. r=Gijs https://hg.mozilla.org/integration/autoland/rev/7b898a8dac3c Updated webkitdirectory test to handle confirm prompts. r=Gijs
Assignee | ||
Updated•4 years ago
|
Comment 32•4 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/fa598dea0903
https://hg.mozilla.org/mozilla-central/rev/9515d8916527
https://hg.mozilla.org/mozilla-central/rev/7b898a8dac3c
Updated•3 years ago
|
Comment 33•3 years ago
|
||
Comment 34•3 years ago
|
||
Updated•3 years ago
|
Updated•3 years ago
|
Updated•3 years ago
|
Updated•3 years ago
|
Updated•3 years ago
|
Updated•3 years ago
|
Description
•