Closed Bug 319801 Opened 20 years ago Closed 20 years ago

Html page able to access user password

Categories

(Core :: Networking: File, defect)

x86
Windows XP
defect
Not set
major

Tracking

()

RESOLVED DUPLICATE of bug 230606

People

(Reporter: BijuMailList, Assigned: darin.moz)

Details

Attachments

(1 file)

3.34 KB, application/zip
Details
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a1) Gecko/20051209 Firefox/1.6a1 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a1) Gecko/20051209 Firefox/1.6a1 Malicious programmer can access user passwords. See the html page in attached zip file. a big a problem in windows, other OS are not less vulnerable. Reproducible: Always Steps to Reproduce: See the html page in attached zip file. Actual Results: html page can access such user info Expected Results: html page should not have access to such user info
Attached file security test
open the html page in this securitytest.zip attachement
note that this requires saving the file locally. (it looks like the testcase just uses XMLHttpRequest to access local files, but the code is a bit complex...)
(In reply to comment #2) > note that this requires saving the file locally. Yes, but it is common, very common for a web developer. And most users assumes a local HTML is safe to view in Firefox. >, but the code is a bit complex...) complexity of code is to find the "Profiles_folder" urls file:///{Profiles_folder}/ Once you know url=file:///{Profiles_folder}/cookies.txt then it is only 4 steps httpReq = new XMLHttpRequest(); httpReq.open("GET", url, false); httpReq.send(""); httpReq.responseText > it looks like the testcase just uses XMLHttpRequest > to access local files you can also do window.open().document.body.innerHTML in a small iframe to achive the same. ie, if we know cookies_url = file:///{Profiles_folder}/cookies.txt formhistory_url = file:///{Profiles_folder}/formhistory.dat formhistory_url = file:///{Profiles_folder}/formhistory.dat by doing mywin = window.open(cookies_url) and after a delay reading mywin.document.body.innerHTML I started making test code with that but its much more complex. As XMLHttpRequest had async=false option writing with that was easier
*** This bug has been marked as a duplicate of 230606 ***
Group: security
Status: UNCONFIRMED → RESOLVED
Closed: 20 years ago
Resolution: --- → DUPLICATE
> complexity of code is to find the "Profiles_folder" urls no, I was referring to this "Ajax" class thingy...
(In reply to comment #5) > > complexity of code is to find the "Profiles_folder" urls > no, I was referring to this "Ajax" class thingy... the Ajax thing is just equvalent to function Ajax_thingy(url){ httpReq = new XMLHttpRequest(); httpReq.open("GET", url, false); httpReq.send(""); return httpReq.responseText; } I just used a common routine i had
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: