Closed Bug 141208 Opened 22 years ago Closed 22 years ago

mozilla can be compromised to read local files!!!

Categories

(Core :: Security, defect, P1)

Product:
Core
Component:
Security
Type:
defect

Tracking

()

Status:
VERIFIED DUPLICATE of bug 141061
Milestone:
mozilla1.0

People

(Reporter: bleon, Assigned: security-bugs)

References

(
URL
)

Details

(Whiteboard: [ADT1])

Attachments

(2 files)

calls document.load('redir.asp')
1.23 KB, text/html
Details
redirects the user to file:///c:/test.xml
75 bytes, application/octet-stream
Details 
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.0rc1) Gecko/20020417
BuildID:    2002041711

http://sec.greymagic.com/adv/gm001-ns/

there is a security test, which reads local files!

Reproducible: Always
Steps to Reproduce:
1.go to http://sec.greymagic.com/adv/gm001-ns/
2.make a test
3.

Actual Results:  i can see for exanple notes,txt in my home folder

Expected Results:  test fails

Security problem, was found in all version of mozilla on windows
an i have tested it with success on linux :(
Confirmed on today's linux build.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Keywords: mozilla1.0, nsbeta1
*** Bug 141212 has been marked as a duplicate of this bug. ***
*** Bug 141214 has been marked as a duplicate of this bug. ***
I am looking at this, although I might need help from Mitch.
Keywords: nsbeta1nsbeta1+
OS: Linux → All
Priority: -- → P1
Hardware: PC → All
Whiteboard: [ADT1]
Target Milestone: --- → mozilla1.0
See
http://lxr.mozilla.org/seamonkey/source/netwerk/protocol/http/src/nsHttpChannel.cpp#1534

There the channel calls out to the HTTPEventSink and tells it it is being
redirected.  We probably want to do a security check at this point in
nsXMLHttpRequest (implement nsIHttpEventSink and call CheckConnect() in the
OnRedirect() method).

See what the urichecker
(http://lxr.mozilla.org/seamonkey/source/netwerk/base/src/nsURIChecker.cpp) does
to set itself up as a listener for OnRedirect.... (you need to implement
nsIInterfaceRequestor, among other things).
This bug is also affected by document.load.
Doh, there was a bug on this earlier, duping.

*** This bug has been marked as a duplicate of 141061 ***
Status: NEW → RESOLVED
Closed: 22 years ago
Resolution: --- → DUPLICATE
v
Status: RESOLVED → VERIFIED
The cat is out of the bag. It doesn't seem useful to block access to bug 141061.
How will we in the general public know when it's fixed?
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: