Local HTML file opened in Mozilla Firefox can access and leak filesystem content to attacker server.
Categories
(Firefox :: Security, task)
Tracking
()
People
(Reporter: hardkorek, Unassigned)
Details
(Keywords: reporter-external, Whiteboard: [reporter-external] [client-bounty-form] [verif?])
Attachments
(3 files)
Issue was a proof of concept exploit for unrestricted file upload on client server i was testing last year. Something like half year ago it was working only on KALI linux. Debian and Windows version of Firefox was giving an error (sorry can't remember the message after this time). Initially i thought that is some KALI weirdness. Now I decide to test it once more time to report issue to KALI community but it works on my Debian stable Firefox 60.6.1esr now. As I mentioned I was playing with some PoC for unrestricted file upload when found this one. It is simple code wrote in text editor so only this apache and browser was used. Other tested Browser version is Firefox 60.4.0esr on Kali.
An attacker may include java script in to HTML document which will read filesystem and leak the content to remote server.
You will find the code and screenshoot in attachment.
Chrome still behaves correctly:
badfile.htm:26 Access to XMLHttpRequest at 'file:///home/korek/secret.txt' from origin 'null' has been blocked by CORS policy: Cross origin requests are only supported for protocol schemes: http, data, chrome, chrome-extension, https.
Comment 4•6 years ago
|
||
This looks like a duplicate of bug 803143 to me, as the demo reads files from the same directory (I'm assuming the /etc/passwd thing doesn't work and that's why it's commented out). This is a known issue.
Comment 6•6 years ago
|
||
(In reply to Lukasz from comment #5)
It can read also from subdirectories.
Yes, we're aware - cf. bug 803143 comment 7, "We have a security policy where a file can only access things in the same directory or subdirectories."
Updated•6 years ago
|
Guys forget bounty, but really this behavior is pretty dangerous. Especially allowing JS to process those information.
If someone depend on it make it optional instead of default. Also I'm pretty sure that couple months ago (probably pre quantum sorry not sure after such long time) Firefox were giving error that SOP was violated.
Updated•8 months ago
|
Description
•