Closed Bug 1377411 Opened 8 years ago Closed 8 years ago

Unsafe Same Origin Policy in file uri leading to file read/exfiltration

Categories

(Firefox :: Untriaged, defect)

Product:
Firefox
Component:
Untriaged
Version:
51 Branch
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 803143

People

(Reporter: jazzy171120, Unassigned)

Details

User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:51.0) Gecko/20100101 Firefox/51.0 Build ID: 20170127092049 Steps to reproduce: Firstly, make a file called "passwd" in your default "Downloads" directory with any content you want. Then download this file here "http://ddl3.data.hu/get/332291/10606893/PoC.html", and save it in your "Downloads" folder too. Now open it in Firefox. This will now read the content from "passwd" file you just made and send it my server, where you can view it on "http://45.32.162.220/mozilla.txt". The content is base64 encoded Thus I am able to read any file from the current directory the file is saved in, and also the subdirectories. Actual results: By looking at the same origin policy for file:// uri, I feel it is pretty insecure https://developer.mozilla.org/en-US/docs/Same-origin_policy_for_file:_URIs You guys are allowing the read of any files in the same directory or subdirectory of the directory of the current HTML file, if being called from file:// uri. This can allow the read of any file in the same directory or subdirectory(provided we know the filename) So a malicious attacker, could potentially make a user download his "HTML" file(as html files are harmless, no viruses in html), and then when he opens it, his data will be sent to the attackers server. This could be exploited in some ways For eg, A user has downloaded a program called "Program-A", and he has saved it in his "Downloads" folder only. As to install the "Program-A", the user has to make a file "Config.txt" in "Program-A/Config.txt" with all his credentials. The attacker somehow comes to know that his victim has downloaded "Program-A", and therefore he makes a plan to steal his credentials. He sends the victim an innocent looking HTML to download, call it "cats.html". The victim loves cats, and since it is a HTML file only, it can't be malicious(as thought by everyone). He then downloads it in the "Downloads" folder also, and when he open it, his credentials from "Program-A/Config.txt" are sent to the attackers server, as shown in the proof of concept This type of Same Origin Policy behaviour is not allowed in any other browser(Chrome, Edge), I believe firefox shouldn't allow it also. Files loaded from the file uri and other files under file uri shouldn't be considered as same origin. Expected results: I wouldn't have been able to read the file
This is a public, well-known aspect of our security implementation and doesn't need to stay hidden. It's also a duplicate. See especially bug 803143 comment 7.
Group: firefox-core-security
Status: UNCONFIRMED → RESOLVED
Closed: 8 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.