Closed
Bug 319801
Opened 20 years ago
Closed 20 years ago
Html page able to access user password
Categories
(Core :: Networking: File, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 230606
People
(Reporter: BijuMailList, Assigned: darin.moz)
Details
Attachments
(1 file)
|
3.34 KB,
application/zip
|
Details |
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a1) Gecko/20051209 Firefox/1.6a1
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a1) Gecko/20051209 Firefox/1.6a1
Malicious programmer can access user passwords.
See the html page in attached zip file.
a big a problem in windows, other OS are not less vulnerable.
Reproducible: Always
Steps to Reproduce:
See the html page in attached zip file.
Actual Results:
html page can access such user info
Expected Results:
html page should not have access to such user info
Comment 2•20 years ago
|
||
note that this requires saving the file locally. (it looks like the testcase just uses XMLHttpRequest to access local files, but the code is a bit complex...)
(In reply to comment #2)
> note that this requires saving the file locally.
Yes, but it is common, very common for a web developer.
And most users assumes a local HTML is safe to view in Firefox.
>, but the code is a bit complex...)
complexity of code is to find the "Profiles_folder" urls
file:///{Profiles_folder}/
Once you know
url=file:///{Profiles_folder}/cookies.txt
then it is only 4 steps
httpReq = new XMLHttpRequest();
httpReq.open("GET", url, false);
httpReq.send("");
httpReq.responseText
> it looks like the testcase just uses XMLHttpRequest
> to access local files
you can also do window.open().document.body.innerHTML
in a small iframe to achive the same.
ie, if we know
cookies_url = file:///{Profiles_folder}/cookies.txt
formhistory_url = file:///{Profiles_folder}/formhistory.dat
formhistory_url = file:///{Profiles_folder}/formhistory.dat
by doing
mywin = window.open(cookies_url)
and after a delay reading
mywin.document.body.innerHTML
I started making test code with that but its much more complex.
As XMLHttpRequest had async=false option writing with that was easier
Comment 4•20 years ago
|
||
*** This bug has been marked as a duplicate of 230606 ***
Group: security
Status: UNCONFIRMED → RESOLVED
Closed: 20 years ago
Resolution: --- → DUPLICATE
Comment 5•20 years ago
|
||
> complexity of code is to find the "Profiles_folder" urls
no, I was referring to this "Ajax" class thingy...
(In reply to comment #5)
> > complexity of code is to find the "Profiles_folder" urls
> no, I was referring to this "Ajax" class thingy...
the Ajax thing is just equvalent to
function Ajax_thingy(url){
httpReq = new XMLHttpRequest();
httpReq.open("GET", url, false);
httpReq.send("");
return httpReq.responseText;
}
I just used a common routine i had
You need to log in
before you can comment on or make changes to this bug.
Description
•