The Web viewer Save button will navigate instead of download when the file argument points at HTML content
Categories
(Firefox :: PDF Viewer, defect)
Tracking
()
People
(Reporter: aliabdallahsyed, Unassigned)
References
()
Details
(Keywords: reporter-external, sec-low, Whiteboard: [reporter-external] [web-bounty-form] [verif?])
Attachments
(2 files)
Capture.PNG
1- visit this link: https://mozilla.github.io/pdf.js/web/viewer.html?file=//www.google.com
2- click on the download button
3- you will find your self redirected to www.google.com
impact:
this redirection affect all pdf.js version which the attacker can use this to redirect the users to a malicious sites
|
Reporter | |
Comment 1•3 years ago
|
||
|
|
Reporter | |
Comment 2•3 years ago
|
||
|
||
Comment 4•3 years ago
|
||
Hello Ali,
Thank you for your report.
I can confirm this behavior, and will run it by the responsible team.
Thanks,
Frida
|
|
||
Updated•3 years ago
|
|
|
||
Comment 5•3 years ago
|
||
Hello Calixte,
I see you are one of the contributors to https://github.com/mozilla/pdf.js, can you please check this report or redirect us to someone who can help?
Thanks,
Frida
|
||
Comment 6•3 years ago
|
||
Redirecting to Calixte's pro address
|
|
||
Updated•3 years ago
|
|
||
Updated•3 years ago
|
|
|
||
Comment 7•3 years ago
|
||
https://mozilla.github.io/pdf.js/web/viewer.html is just a website to have a live demo of pdf.js.
Anyway we shouldn't allow a download if there was something wrong with the URL.
|
|
Reporter | |
Comment 8•3 years ago
|
||
I can also redirect users to download a malicious files and remember it's not also affect the the live demo it affect all the website who use this extension with all it's versions
|
||
Comment 9•3 years ago
|
||
impact:
this redirection affect all pdf.js version which the attacker can use this to redirect the users to a malicious sites
It's not exactly a "redirect", is it?
- you get someone to open https://pdfviewer.site/viewer.html?file=//www.evil.site
- while they're staring at this empty viewer either
- you hope they discover the download button and randomly click it, or
- they trust your instructions when you tell them to click download
If you can do the above why couldn't you just convince them to open https://www.evil.site directly?
Is your attack assuming people will not recognize relative URLs and think "www.evil.site" is OK when they would otherwise know that https://www.evil.site is dangerous?
I agree the viewer-hosting site may not want this behavior (because people leave their site), but I'm not seeing how this is an "attack"
|
|
Reporter | |
Comment 10•3 years ago
|
||
if the do this step of course the victim will know that is an attack but what if I used a trusted site that use your plugin and url shortener like this link:
https://trusted-site.com/viewer.html?file=https://bit.ly/asdf
|
|
||
Comment 11•3 years ago
•
|
||
One case where the current behavior is useful is if the PDF display fails because of a CORS error. If it's a valid PDF you can download it and view it in another viewer (in the Firefox case, it will render in the browser instead by default). So if we get a CORS error it might make sense to tell the user that PDFjs didn't have permission and offer to try to open it in a new tab. But not through the "download" button, because the CORS error might be hiding a non-PDF.
[deleted incorrect stuff about only relative URLs.]
Separate issue, but for some strange reason download_manager.js resolves relative URLs against an explicit baseURL of "http://example.com" (note: insecure) instead of something sensible like the viewer site. This will cause browsers to use insecure connections, and depending on the site the insecure http: version of a resource could be different (or not found) than the https: version the relative URL was looking at. Doesn't change anything wrt this reporter's bug, just noting it.
We then a link with a download attribute and click it, but we don't always honor that attribute if the fetched content-type is one we've decided the browser knows how to handle (like html)
|
|
||
Comment 12•3 years ago
|
||
I don't see the difference the shortener adds. Obviously an attack isn't going to use literal "evil.site", it will be some domain you've never heard of before, or it will be a phishing-style url that's similar to a trusted domain. A shortener link might even be extra suspicious to some people (to me, anyway).
The contention is your belief that the link recipient will ignore the source and trust the hosting site, and I'm more suspicious of the person who wants me to open this link in the first place.
What happens when you get to the evil site? If it's straight up malware then it doesn't really matter how victims get there -- you might as well hand out the direct link disguised as something else. The only thing that makes any sense to me is if the evil site is disguised as a support site for trusted-site.com, maybe with "help" for why their pdf 1) didn't load, and 2) didn't download that further convinces the user to do something unwise. It's not an "open redirect", it's a multi-step spoofing attempt.
|
|
||
Updated•3 years ago
|
|
|
Reporter | |
Comment 13•3 years ago
|
||
yes you right and sorry for wasting your time.
|
|
||
Updated•3 years ago
|
|
||
Updated•2 years ago
|
|
|
||
Updated•2 years ago
|
|
||
Updated•1 year ago
|
Description
•