Closed
Bug 263938
Opened 20 years ago
Closed 20 years ago
Images are allowed to be embedded, coming off a user's harddrive
Categories
(Firefox :: General, defect)
Tracking
()
People
(Reporter: tonglebeak, Assigned: bugzilla)
References
()
Details
(Whiteboard: [sg:nse])
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.3) Gecko/20041010 Firefox/0.10.1 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.3) Gecko/20041010 Firefox/0.10.1 Go to the link about: put in the location of the image on your hardrive, and select the appropriate mime-type (image/jpeg for jpg or jpeg images, image/gif for gif images, etc). When done properly, an image will be displayed off of your harddrive. Reproducible: Always Steps to Reproduce: 1.Go to the link 2.Type in location, and appropriate mime-type 3.HIt "Exploit!", and watch as the image on your harddrive is embedded onto the page. Actual Results: Image embedded onto page; image comes from user's harddrive. Expected Results: Refused to accept file:/// protocol to embed the image. The reason this is a security threat is that, while only images can be embedded, there have been known cases, AFAIK, of spyware being planted into images. Calling up that image on a site may very well have the capabilitiy of executing some sort of spyware attack, if spyware is planted inside the image. This poses a major threat to both security and privacy. Even IF there had been no cases of spyware being planted in images (which I do believe there have been cases, I remember reading up somewhere about it), sites could still use this vulnerability to bring up images from a harddrive, that might've been saved there previously for any reason, to target the user for ads, or even displaying offensive content, that is an image, that the user never knew existed on their harddrive. In either case, this is a threat that needs to be fixed.
Comment 1•20 years ago
|
||
Generated page for values "foo" / "bar": <html> <object data="file:///foo" type="bar">omg</object> <img src="file:///foo" /></html> The oldest "exploit". Pages are allowed to embed other domains (or the harddrive), but not access/read/write it. E.g. a site can display a file at c:\image.png (if it knows the filename), but it can't do anything with the file, it can't be uploaded to the site nor can it be modified. > AFAIK, of spyware being planted into images. Right, but the malice images are not likely to be found on your own harddrive, but on hostile sites on the web. These images can be displayed anyways. Are you asking to remove the ability to display images from the web on web pages? > displaying offensive content, that is an image, that the user never knew > existed on their harddrive. Unlikely. Far easier to just display an offensive image from a webserver. INVALID.
Group: security
Severity: blocker → normal
Whiteboard: [sg:nse]
Updated•20 years ago
|
Status: UNCONFIRMED → RESOLVED
Closed: 20 years ago
Resolution: --- → INVALID
Reporter | ||
Comment 2•20 years ago
|
||
No, maybe I was misunderstood. The whole point is file:/// protocol should be blocked from websites; websites should NOT be allowed to display anything from a user's harddrive; it just gives that sense of bad security. Furthermore, you completely blew this way out of proportion: the fact that it is unlikely that anything will happen, doesn't take away from the fact that something malicious CAN happen, and it's best to prevent this before it DOES HAPPEN.
Status: RESOLVED → UNCONFIRMED
Resolution: INVALID → ---
Comment 3•20 years ago
|
||
Yes, we would like to fix this one. *** This bug has been marked as a duplicate of 69070 ***
Status: UNCONFIRMED → RESOLVED
Closed: 20 years ago → 20 years ago
Resolution: --- → DUPLICATE
Updated•20 years ago
|
Status: RESOLVED → VERIFIED
You need to log in
before you can comment on or make changes to this bug.
Description
•