Closed Bug 1541386 Opened 3 years ago Closed 3 years ago

Local HTML file opened in Mozilla Firefox can access and leak filesystem content to attacker server.

Categories

(Firefox :: Security, task)

task
Not set
normal

Tracking

()

VERIFIED DUPLICATE of bug 803143

People

(Reporter: hardkorek, Unassigned)

Details

(Whiteboard: [reporter-external] [client-bounty-form] [verif?])

Attachments

(3 files)

Attached file badfile.htm

Issue was a proof of concept exploit for unrestricted file upload on client server i was testing last year. Something like half year ago it was working only on KALI linux. Debian and Windows version of Firefox was giving an error (sorry can't remember the message after this time). Initially i thought that is some KALI weirdness. Now I decide to test it once more time to report issue to KALI community but it works on my Debian stable Firefox 60.6.1esr now. As I mentioned I was playing with some PoC for unrestricted file upload when found this one. It is simple code wrote in text editor so only this apache and browser was used. Other tested Browser version is Firefox 60.4.0esr on Kali.
An attacker may include java script in to HTML document which will read filesystem and leak the content to remote server.
You will find the code and screenshoot in attachment.

Flags: sec-bounty?
Attached image firefoxbug.png
Attached file secret.txt

Chrome still behaves correctly:
badfile.htm:26 Access to XMLHttpRequest at 'file:///home/korek/secret.txt' from origin 'null' has been blocked by CORS policy: Cross origin requests are only supported for protocol schemes: http, data, chrome, chrome-extension, https.

Summary: HTML file opened in Mozilla Firefox can access and leak filesystem content to attacker server. → Local HTML file opened in Mozilla Firefox can access and leak filesystem content to attacker server.

This looks like a duplicate of bug 803143 to me, as the demo reads files from the same directory (I'm assuming the /etc/passwd thing doesn't work and that's why it's commented out). This is a known issue.

Status: UNCONFIRMED → RESOLVED
Closed: 3 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 803143

It can read also from subdirectories.

(In reply to Lukasz from comment #5)

It can read also from subdirectories.

Yes, we're aware - cf. bug 803143 comment 7, "We have a security policy where a file can only access things in the same directory or subdirectories."

Group: firefox-core-security
Status: RESOLVED → VERIFIED
Flags: sec-bounty? → sec-bounty-

Guys forget bounty, but really this behavior is pretty dangerous. Especially allowing JS to process those information.
If someone depend on it make it optional instead of default. Also I'm pretty sure that couple months ago (probably pre quantum sorry not sure after such long time) Firefox were giving error that SOP was violated.

You need to log in before you can comment on or make changes to this bug.