Closed Bug 273502 Opened 20 years ago Closed 20 years ago

Too large file:// access

Categories

(Core :: Security, defect)

Product:
Core
Component:
Security
Platform:
x86
Windows 2000
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
VERIFIED DUPLICATE of bug 273419

People

(Reporter: bugzilla, Assigned: dveditz)

References

(
URL
)

Details

Attachments

(1 file)

exploit example - windows only (start it from file://)
7.22 KB, text/html
Details 
For info:
<http://www.securityfocus.com/archive/1/383147/2004-12-02/2004-12-08/1> maybe
you know already. In answer is written "Attacker can *browse* target's folders
and files(file content, filename, filesize, and even the date)."

He has true (even with the *file content*). It is not problem only it this case
(sending bad MIME type form *.html file), but the fact that scripts launched
from file:// has access to the complete the file:// can lead to more potential
problems.


I have prepared simple "exploit" (see attachment), which started from the
file:// (not from the http://) will browse your disk, tries to found as many
Mozilla/Firefox/Thunderbird profiles as possible and load files with passwords
(big problem if the user isn't using master password). It is Windows-only,
looking for profiles only in the C:\Documents and Settings\* and
C:\WINDOWS\Application Data\* so it isn't working in every case - only for the
demonstration (someone can write more sophisticated example).

Report in the
<http://www.securityfocus.com/archive/1/383147/2004-12-02/2004-12-08/1> is only
1 possible problem how to exploit this. User cannot be sure about starting
*.html files from the CD-ROM, a:\ or \\intranet-computer\share\ because it can
send his passwords (or some other files) to the net!

Solution? Not easy. Nobody want to simply block access for the file://. There
will be intranet applications using this. So only some my ideas:

a) do not allow file:// scripts to access another drive (in similar way like it
is implemented in http:// domain security). It won't solve all problems, but can
help a little.

b) limit file:// access only to the current directory and subdirectories (do not
allow script from file:///C:/temp/ read file:///C:/ ). It is better, may be can
break some intranet applications, but not every. It the user can switch it off
in about:config, seems almost OK for me.

c) or do not limit file:// access, but *strictly* warn users every time when the
file:// is trying to access http:// (so script can find data, but cannot send them).
Attachment #168117 - Attachment description: exploit example - windows only → exploit example - windows only (start it from file://)
> c) or do not limit file:// access, but *strictly* warn users every time when
> the file:// is trying to access http:// (so script can find data, but cannot
> send them).

This is really not an option -- it's common for web pages at file:// to load
images, etc over http://, and it's trivial to send data in the URI...


*** This bug has been marked as a duplicate of 273419 ***
Status: NEW → RESOLVED
Closed: 20 years ago
Resolution: --- → DUPLICATE
Status: RESOLVED → VERIFIED
Group: security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: