Closed Bug 1541386 Opened 6 years ago Closed 6 years ago

Local HTML file opened in Mozilla Firefox can access and leak filesystem content to attacker server.

Categories

(Firefox :: Security, task)

Product:
Firefox
Component:
Security
Type:
task
Priority:
Not set
Severity:
normal

Tracking

()

Status:
VERIFIED DUPLICATE of bug 803143

People

(Reporter: hardkorek, Unassigned)

Details

(Keywords: reporter-external, Whiteboard: [reporter-external] [client-bounty-form] [verif?])

Attachments

(3 files)

badfile.htm
1.00 KB, text/html
Details
firefoxbug.png
591.93 KB, image/png
Details
secret.txt
14 bytes, text/plain
Details
Attached file badfile.htm

Issue was a proof of concept exploit for unrestricted file upload on client server i was testing last year. Something like half year ago it was working only on KALI linux. Debian and Windows version of Firefox was giving an error (sorry can't remember the message after this time). Initially i thought that is some KALI weirdness. Now I decide to test it once more time to report issue to KALI community but it works on my Debian stable Firefox 60.6.1esr now. As I mentioned I was playing with some PoC for unrestricted file upload when found this one. It is simple code wrote in text editor so only this apache and browser was used. Other tested Browser version is Firefox 60.4.0esr on Kali.
An attacker may include java script in to HTML document which will read filesystem and leak the content to remote server.
You will find the code and screenshoot in attachment.

Flags: sec-bounty?
Attached image firefoxbug.png
Attached file secret.txt

Chrome still behaves correctly:
badfile.htm:26 Access to XMLHttpRequest at 'file:///home/korek/secret.txt' from origin 'null' has been blocked by CORS policy: Cross origin requests are only supported for protocol schemes: http, data, chrome, chrome-extension, https.

Summary: HTML file opened in Mozilla Firefox can access and leak filesystem content to attacker server. → Local HTML file opened in Mozilla Firefox can access and leak filesystem content to attacker server.

This looks like a duplicate of bug 803143 to me, as the demo reads files from the same directory (I'm assuming the /etc/passwd thing doesn't work and that's why it's commented out). This is a known issue.

Status: UNCONFIRMED → RESOLVED
Closed: 6 years ago
Resolution: --- → DUPLICATE

It can read also from subdirectories.

(In reply to Lukasz from comment #5)

It can read also from subdirectories.

Yes, we're aware - cf. bug 803143 comment 7, "We have a security policy where a file can only access things in the same directory or subdirectories."

Group: firefox-core-security
Status: RESOLVED → VERIFIED
Flags: sec-bounty? → sec-bounty-

Guys forget bounty, but really this behavior is pretty dangerous. Especially allowing JS to process those information.
If someone depend on it make it optional instead of default. Also I'm pretty sure that couple months ago (probably pre quantum sorry not sure after such long time) Firefox were giving error that SOP was violated.

You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: