Closed Bug 1441066 Opened 4 years ago Closed 4 years ago

Can access files in the same directory when using file: scheme

Categories

(Core :: DOM: Security, defect)

58 Branch
defect
Not set
normal

Tracking

()

RESOLVED DUPLICATE of bug 803143

People

(Reporter: michaelbierma, Unassigned)

Details

Attachments

(1 file)

1.82 KB, application/zip
Details
Attached file poc.zip
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.167 Safari/537.36

Steps to reproduce:

Firefox (tested on 58.0.2 (64-bit) for OSX) supports cross origin requests for the file protocol scheme. Files formats that support JavaScript (e.g. SVG) are often downloaded from websites/emails/etc. and saved locally. With a specially crafted file, an attacker can gain read access files in the same directory as the attacker-created file, when the attacker-created file is viewed with Firefox.

The attached proof of concept SVG file contains a script section that could have been crafted by an attacker to point to a malicious domain (the domain in the PoC is set to example.com). If this file is saved to local directory (for example, the Downloads directory) and then opened with Firefox, an attacker can gain read access to other files within the same directory.

The attached zip file contains a proof of concept SVG file (test.svg) and a sample victim file (test.txt). When extracted, both the SVG file and the txt file must remain in the same directory. Opening the test.svg file in Firefox will open the test.txt file and send the contents to https://example.com/ in the URL path of the request. In order for the PoC to work correctly, the argument to the readTextFile function in test.svg should be updated to point to the correct file path of test.txt.



Actual results:

When the test.svg file was opened with Firefox, the JavaScript inside the script tag was executed. The readTextFile function opens the specified file and returns the text contents. The contents of this file are then passed to the remote url via the URI path. 


Expected results:

Cross origin requests between file and http/https/etc. should not be possible and should be blocked by the browser.
(In reply to michaelbierma from comment #0)
> Cross origin requests between file and http/https/etc. should not be
> possible and should be blocked by the browser.

Do you have a source for this claim?


I think what is surprising you is that we allow access to other files in the same directory. Other than that, the exact same thing would work in Chrome or Edge (ie sending data that didn't come from a file in the same directory to http/https).

E.g. load this in either Firefox or Chrome from a file:/// URI:

<script>
  let xhr = new XMLHttpRequest();
  xhr.open("GET", "https://www.mozilla.org/", true);
  xhr.send();
</script>


And the request goes through (the page can't access the result because there's no matching access-control-allow-origin header, but obviously if you were exploiting this that wouldn't matter). The same would apply to `POST` or `PUT` requests, though even if it didn't you could just pass the data in the querystring for the GET request.


So I think this has nothing to do with accessing http/https from file:, and everything to do with our file: access policy, which is already on file as bug 803143.
Group: firefox-core-security
Status: UNCONFIRMED → RESOLVED
Closed: 4 years ago
Resolution: --- → DUPLICATE
Summary: Cross origin requests for file scheme → Can access files in the same directory when using file: scheme
Duplicate of bug: 803143
Component: Untriaged → DOM: Security
Product: Firefox → Core
You need to log in before you can comment on or make changes to this bug.