Closed Bug 1563390 Opened 5 years ago Closed 5 years ago

Bypassing Same-Origion-Policy to access parent local directory

Categories

(Firefox :: Security, task)

Product:
Firefox
Component:
Security
Type:
task
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1477067

People

(Reporter: 0xc0derm4n, Unassigned)

References

Details

(Whiteboard: [reporter-external] [client-bounty-form] [verif?])

Attachments

(4 files)

Image1.png
54.32 KB, image/png
Details
Image2.png
28.84 KB, image/png
Details
Image3.png
57.24 KB, image/png
Details
poc.html
3.11 KB, text/html
Details
Attached image Image1.png

According to Same-Origion-Policy, A local file can access another local file in the same directory but it can't access files of different directories or get list of files and directories stored in the current directory. Local file and its parent directory have different origions.

Examples:

file:///X/A.html can access file:///X/B.html

file:///X/A.html can't access file:///Y/B.html

file:///X/A.html can't access file:///X/

Image1.png shows how SOP denies permission when a local file tries to access its parent directory.

If we open directory first, then click name of the file from the list (Image2.png), SOP will confuse origions and the file can access its parent directory. (Image3.png)

This issue allows attackers to obtain sensitive files of victims opening crafted HTML files.

An attack scenario:
Victim downloads a malicious HTML file and opens it. The file lists files and directories stored in Downloads directory, reads them and sends them back to the attacker.

I have provided poc.html file as a proof of concept for the issue.The file is tested on Mozilla Firefox Quantum 67.0.4 (64-bit).

1- Download poc.html and store it on your local storage.
2- Open poc.html with Mozilla Firefox.
3- Click poc.html from the list.
4- poc.html file lists contents of current directory and reads text files (.txt) stored in the directory.

Flags: sec-bounty?
Attached image Image2.png
Attached image Image3.png
Attached file poc.html

Firefox's same-origin-policy fior file: URIs is well documented, a relic of a bygone era when usage of file: URIs were common (and a more restrictive policy wasn't possible). This bug is a dupe of 803143 and bug 1500453 is the SOP change which addresses it.

Status: UNCONFIRMED → RESOLVED
Closed: 5 years ago
Resolution: --- → DUPLICATE
Flags: sec-bounty? → sec-bounty-

Paul: is this more like a dupe of bug 1477067? That is, even if we don't change the intent of our current file handling the inheritance from a directory is a bug. Of course if we do (bug 803143, bug 1500453) then this becomes moot.

Flags: needinfo?(ptheriault)

(In reply to Daniel Veditz [:dveditz] from comment #5)

Paul: is this more like a dupe of bug 1477067? That is, even if we don't change the intent of our current file handling the inheritance from a directory is a bug. Of course if we do (bug 803143, bug 1500453) then this becomes moot.

Ah yes, I was looking for that.

Flags: needinfo?(ptheriault)
Group: firefox-core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: