Closed Bug 319801 Opened 15 years ago Closed 15 years ago

Html page able to access user password

Categories

(Core :: Networking: File, defect)

x86
Windows XP
defect
Not set
major

Tracking

()

RESOLVED DUPLICATE of bug 230606

People

(Reporter: BijuMailList, Assigned: darin.moz)

Details

Attachments

(1 file)

3.34 KB, application/zip
Details
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a1) Gecko/20051209 Firefox/1.6a1
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a1) Gecko/20051209 Firefox/1.6a1

Malicious programmer can access user passwords.
See the html page in attached zip file.
a big a problem in windows, other OS are not less vulnerable.

Reproducible: Always

Steps to Reproduce:
See the html page in attached zip file.
Actual Results:  
html page can access such user info

Expected Results:  
html page should not have access to such user info
Attached file security test
open the html page in this securitytest.zip attachement
note that this requires saving the file locally. (it looks like the testcase just uses XMLHttpRequest to access local files, but the code is a bit complex...)
(In reply to comment #2)
> note that this requires saving the file locally. 

Yes, but it is common, very common for a web developer.
And most users assumes a local HTML is safe to view in Firefox.

>, but the code is a bit complex...)

complexity of code is to find the "Profiles_folder" urls
file:///{Profiles_folder}/

Once you know
url=file:///{Profiles_folder}/cookies.txt

then it is only 4 steps

httpReq = new XMLHttpRequest();
httpReq.open("GET", url, false);
httpReq.send("");
httpReq.responseText     
 

> it looks like the testcase just uses XMLHttpRequest
> to access local files

you can also do window.open().document.body.innerHTML
in a small iframe to achive the same.

ie, if we know
cookies_url = file:///{Profiles_folder}/cookies.txt
formhistory_url = file:///{Profiles_folder}/formhistory.dat
formhistory_url = file:///{Profiles_folder}/formhistory.dat

by doing
   mywin = window.open(cookies_url)
and after a delay reading
   mywin.document.body.innerHTML

I started making test code with that but its much more complex.
As XMLHttpRequest had async=false option writing with that was easier

*** This bug has been marked as a duplicate of 230606 ***
Group: security
Status: UNCONFIRMED → RESOLVED
Closed: 15 years ago
Resolution: --- → DUPLICATE
> complexity of code is to find the "Profiles_folder" urls

no, I was referring to this "Ajax" class thingy...
(In reply to comment #5)
> > complexity of code is to find the "Profiles_folder" urls
> no, I was referring to this "Ajax" class thingy...

the Ajax thing is just equvalent to

function Ajax_thingy(url){
  httpReq = new XMLHttpRequest();
  httpReq.open("GET", url, false);
  httpReq.send("");
  return httpReq.responseText;
}

I just used a common routine i had 
You need to log in before you can comment on or make changes to this bug.