mozilla can be compromised to read local files!!!

VERIFIED DUPLICATE of bug 141061

Status

()

P1
critical
VERIFIED DUPLICATE of bug 141061
17 years ago
10 years ago

People

(Reporter: bleon, Assigned: security-bugs)

Tracking

Trunk
mozilla1.0
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [ADT1], URL)

Attachments

(2 attachments)

(Reporter)

Description

17 years ago
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.0rc1) Gecko/20020417
BuildID:    2002041711

http://sec.greymagic.com/adv/gm001-ns/

there is a security test, which reads local files!

Reproducible: Always
Steps to Reproduce:
1.go to http://sec.greymagic.com/adv/gm001-ns/
2.make a test
3.

Actual Results:  i can see for exanple notes,txt in my home folder

Expected Results:  test fails

Security problem, was found in all version of mozilla on windows
an i have tested it with success on linux :(
Confirmed on today's linux build.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Keywords: mozilla1.0, nsbeta1
*** Bug 141212 has been marked as a duplicate of this bug. ***
*** Bug 141214 has been marked as a duplicate of this bug. ***
I am looking at this, although I might need help from Mitch.
Keywords: nsbeta1 → nsbeta1+
OS: Linux → All
Priority: -- → P1
Hardware: PC → All
Whiteboard: [ADT1]
Target Milestone: --- → mozilla1.0
See
http://lxr.mozilla.org/seamonkey/source/netwerk/protocol/http/src/nsHttpChannel.cpp#1534

There the channel calls out to the HTTPEventSink and tells it it is being
redirected.  We probably want to do a security check at this point in
nsXMLHttpRequest (implement nsIHttpEventSink and call CheckConnect() in the
OnRedirect() method).

See what the urichecker
(http://lxr.mozilla.org/seamonkey/source/netwerk/base/src/nsURIChecker.cpp) does
to set itself up as a listener for OnRedirect.... (you need to implement
nsIInterfaceRequestor, among other things).

Comment 6

17 years ago
Created attachment 81701 [details]
calls document.load('redir.asp')

Comment 7

17 years ago
Created attachment 81702 [details]
redirects the user to file:///c:/test.xml

Comment 8

17 years ago
This bug is also affected by document.load.
Doh, there was a bug on this earlier, duping.

*** This bug has been marked as a duplicate of 141061 ***
Status: NEW → RESOLVED
Last Resolved: 17 years ago
Resolution: --- → DUPLICATE
v
Status: RESOLVED → VERIFIED

Comment 11

17 years ago
The cat is out of the bag. It doesn't seem useful to block access to bug 141061.
How will we in the general public know when it's fixed? 
You need to log in before you can comment on or make changes to this bug.