Closed Bug 1342693 Opened 3 years ago Closed 3 years ago

(Similar to Bug 1295023) Ability to determine the existence of a file in the local filesystem using <track> tag with onerror event

Categories

(Core :: Audio/Video: Playback, defect)

51 Branch
defect
Not set

Tracking

()

RESOLVED WORKSFORME

People

(Reporter: jordi.chancel, Unassigned)

Details

(Keywords: csectype-disclosure, sec-low)

Attachments

(1 file)

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:51.0) Gecko/20100101 Firefox/51.0
Build ID: 20170125094131

Steps to reproduce:

(same PoC used in Bug 1295023)

A local file (like html file) using <track> tag with onerror JavaScript event is able to determine the existence of others local files in the filesystem.

This vulnerability still works (when i tested the PoC in Firefox 51.0.1 for Mac) despite that the Firefox 51 update shows that this vulnerability is fixed in this release.

Steps:
1) Download the testcase and load the downloaded testcase with Firefox 51.0.1

(PoC tested on Mac OS Yosemite and Mac OS El Capitan)



Actual results:

The onerror event is able to determine the existence of others local files.


Expected results:

The onerror event should't determine the existence of a local file in the local filesystem.

(Info about this issue: I have only tested the PoC on Mac, so if it seems fixed on others OS, this isn't the case for Mac)
Alastor, given you wrote the fix for bug 1295023, can you take a look?

Dan, do you want to open this up given it's sec-low, or keep it closed given it's a bug we've advertised as fixed and now maybe isn't fixed?
Group: firefox-core-security → core-security
Component: Untriaged → Audio/Video: Playback
Flags: needinfo?(dveditz)
Flags: needinfo?(alwu)
Product: Firefox → Core
I have only tested in Mac: Mac OS Yosemite and Mac El Capitan. 
(If this discolsure vulnerability seems fixed on others OS, on Mac OS this disclosure vulnerability works perfectly)
Flags: needinfo?(alwu)
Keep NI, I'll check it later.
Flags: needinfo?(alwu)
Hi, Jordi,
After testing, I didn't see any problem and the result is correct. The onerror event was fired the same number of times for both cases.
I tested in Nightly 54.0a1 (2017-03-01) on OSX El Captian (10.11.4).
Flags: needinfo?(alwu) → needinfo?(jordi.chancel)
Attached file Video Example1.html
Look this video that displays two different results for an existing file and a non-existing file.

in this video example you can look that:

When I try to determine if "file:///etc/passwd/" exists, The alert() Msgbox says: "File Exists".

And when I try to determine if "file:///etc/passwd/testnolocalfile" exists, The alert() Msgbox says: "File Does not Exist".
Flags: needinfo?(jordi.chancel)
Can you reproduce this issue in FF52?
Flags: needinfo?(jordi.chancel)
I can not reproduce this issue in Firefox 52 but in Firefox 50.0.1 it works.

I analyzed this vulnerability, it also allows to determine the existence of a local file but it works differently than bug1295023 .

This dislosure bug can also determine if a local file exists or not, but it works by analyzing the results obtained on two compared URLs.

E-G: if the onerror event defines that "file:///etc/passwd" = 1 and "file:///etc/passwd/testnolocalfile" = 0, 
the local file "file:///etc/passwd" exists 
(1 + 0 = the local file exists),

but if the onerror event defines that "file:///testnolocalfile" = 1 and that "file:///testnolocalfile/testnolocalfile" = 1, 
the local file does not exist.
(1 + 1 = the local file does not exist).

Thanks.
Flags: needinfo?(jordi.chancel)
I don't know why this vulnerability still works on FF51, but it's not reproducible on FF52 and afterward.
But considering FF52 would go to release channel soon and this issue is low-security, should we still need to fix this issue on FF51? or we can mark it as WONFIX?
Flags: needinfo?(bwu)
(In reply to Alastor Wu [:alwu] from comment #8)
> I don't know why this vulnerability still works on FF51, but it's not
> reproducible on FF52 and afterward.
> But considering FF52 would go to release channel soon and this issue is
I suppose you are saying FF51. 
> low-security, should we still need to fix this issue on FF51? or we can mark
> it as WONFIX?
Agree. We should close it as WONTFIX.
Status: UNCONFIRMED → RESOLVED
Closed: 3 years ago
Flags: needinfo?(bwu)
Resolution: --- → WONTFIX
Group: core-security
Flags: needinfo?(dveditz)
Resolution: WONTFIX → WORKSFORME
You need to log in before you can comment on or make changes to this bug.