Bypassing Same-Origion-Policy to access parent local directory
Categories
(Firefox :: Security, task)
Tracking
()
People
(Reporter: 0xc0derm4n, Unassigned)
References
Details
(Whiteboard: [reporter-external] [client-bounty-form] [verif?])
Attachments
(4 files)
According to Same-Origion-Policy, A local file can access another local file in the same directory but it can't access files of different directories or get list of files and directories stored in the current directory. Local file and its parent directory have different origions.
Examples:
file:///X/A.html can access file:///X/B.html
file:///X/A.html can't access file:///Y/B.html
file:///X/A.html can't access file:///X/
Image1.png shows how SOP denies permission when a local file tries to access its parent directory.
If we open directory first, then click name of the file from the list (Image2.png), SOP will confuse origions and the file can access its parent directory. (Image3.png)
This issue allows attackers to obtain sensitive files of victims opening crafted HTML files.
An attack scenario:
Victim downloads a malicious HTML file and opens it. The file lists files and directories stored in Downloads directory, reads them and sends them back to the attacker.
I have provided poc.html file as a proof of concept for the issue.The file is tested on Mozilla Firefox Quantum 67.0.4 (64-bit).
1- Download poc.html and store it on your local storage.
2- Open poc.html with Mozilla Firefox.
3- Click poc.html from the list.
4- poc.html file lists contents of current directory and reads text files (.txt) stored in the directory.
Reporter | ||
Comment 1•5 years ago
|
||
Reporter | ||
Comment 2•5 years ago
|
||
Reporter | ||
Comment 3•5 years ago
|
||
Firefox's same-origin-policy fior file: URIs is well documented, a relic of a bygone era when usage of file: URIs were common (and a more restrictive policy wasn't possible). This bug is a dupe of 803143 and bug 1500453 is the SOP change which addresses it.
Updated•5 years ago
|
Comment 5•5 years ago
|
||
Paul: is this more like a dupe of bug 1477067? That is, even if we don't change the intent of our current file handling the inheritance from a directory is a bug. Of course if we do (bug 803143, bug 1500453) then this becomes moot.
(In reply to Daniel Veditz [:dveditz] from comment #5)
Paul: is this more like a dupe of bug 1477067? That is, even if we don't change the intent of our current file handling the inheritance from a directory is a bug. Of course if we do (bug 803143, bug 1500453) then this becomes moot.
Ah yes, I was looking for that.
Updated•11 months ago
|
Description
•