Closed Bug 263938 Opened 20 years ago Closed 20 years ago

Images are allowed to be embedded, coming off a user's harddrive

Categories

(Firefox :: General, defect)

Product:
Firefox
Component:
General
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
VERIFIED DUPLICATE of bug 69070

People

(Reporter: tonglebeak, Assigned: bugzilla)

References

(
URL
)

Details

(Whiteboard: [sg:nse]) 

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.3) Gecko/20041010 Firefox/0.10.1
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.3) Gecko/20041010 Firefox/0.10.1

Go to the link about: put in the location of the image on your hardrive, and
select the appropriate mime-type (image/jpeg for jpg or jpeg images, image/gif
for gif images, etc). When done properly, an image will be displayed off of your
harddrive.

Reproducible: Always
Steps to Reproduce:
1.Go to the link
2.Type in location, and appropriate mime-type
3.HIt "Exploit!", and watch as the image on your harddrive is embedded onto the
page.

Actual Results:  
Image embedded onto page; image comes from user's harddrive.

Expected Results:  
Refused to accept file:/// protocol to embed the image.

The reason this is a security threat is that, while only images can be embedded,
there have been known cases, AFAIK, of spyware being planted into images.
Calling up that image on a site may very well have the capabilitiy of executing
some sort of spyware attack, if spyware is planted inside the image. This poses
a major threat to both security and privacy.

Even IF there had been no cases of spyware being planted in images (which I do
believe there have been cases, I remember reading up somewhere about it), sites
could still use this vulnerability to bring up images from a harddrive, that
might've been saved there previously for any reason, to target the user for ads,
or even displaying offensive content, that is an image, that the user never knew
existed on their harddrive.

In either case, this is a threat that needs to be fixed.
Generated page for values "foo" / "bar":
<html>
<object data="file:///foo" type="bar">omg</object>
<img src="file:///foo" /></html>


The oldest "exploit". Pages are allowed to embed other domains (or the
harddrive), but not access/read/write it. E.g. a site can display a file at
c:\image.png (if it knows the filename), but it can't do anything with the file,
it can't be uploaded to the site nor can it be modified.

> AFAIK, of spyware being planted into images.

Right, but the malice images are not likely to be found on your own harddrive,
but on hostile sites on the web. These images can be displayed anyways. Are you
asking to remove the ability to display images from the web on web pages?

> displaying offensive content, that is an image, that the user never knew
> existed on their harddrive.

Unlikely. Far easier to just display an offensive image from a webserver.


INVALID.
Group: security
Severity: blocker → normal
Whiteboard: [sg:nse]
Status: UNCONFIRMED → RESOLVED
Closed: 20 years ago
Resolution: --- → INVALID
No, maybe I was misunderstood. The whole point is file:/// protocol should be
blocked from websites; websites should NOT be allowed to display anything from a
user's harddrive; it just gives that sense of bad security. Furthermore, you
completely blew this way out of proportion: the fact that it is unlikely that
anything will happen, doesn't take away from the fact that something malicious
CAN happen, and it's best to prevent this before it DOES HAPPEN.
Status: RESOLVED → UNCONFIRMED
Resolution: INVALID → ---
Yes, we would like to fix this one.

*** This bug has been marked as a duplicate of 69070 ***
Status: UNCONFIRMED → RESOLVED
Closed: 20 years ago20 years ago
Resolution: --- → DUPLICATE
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.