Closed
Bug 319801
Opened 19 years ago
Closed 19 years ago
Html page able to access user password
Categories
(Core :: Networking: File, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 230606
People
(Reporter: BijuMailList, Assigned: darin.moz)
Details
Attachments
(1 file)
3.34 KB,
application/zip
|
Details |
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a1) Gecko/20051209 Firefox/1.6a1 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a1) Gecko/20051209 Firefox/1.6a1 Malicious programmer can access user passwords. See the html page in attached zip file. a big a problem in windows, other OS are not less vulnerable. Reproducible: Always Steps to Reproduce: See the html page in attached zip file. Actual Results: html page can access such user info Expected Results: html page should not have access to such user info
Comment 2•19 years ago
|
||
note that this requires saving the file locally. (it looks like the testcase just uses XMLHttpRequest to access local files, but the code is a bit complex...)
(In reply to comment #2) > note that this requires saving the file locally. Yes, but it is common, very common for a web developer. And most users assumes a local HTML is safe to view in Firefox. >, but the code is a bit complex...) complexity of code is to find the "Profiles_folder" urls file:///{Profiles_folder}/ Once you know url=file:///{Profiles_folder}/cookies.txt then it is only 4 steps httpReq = new XMLHttpRequest(); httpReq.open("GET", url, false); httpReq.send(""); httpReq.responseText > it looks like the testcase just uses XMLHttpRequest > to access local files you can also do window.open().document.body.innerHTML in a small iframe to achive the same. ie, if we know cookies_url = file:///{Profiles_folder}/cookies.txt formhistory_url = file:///{Profiles_folder}/formhistory.dat formhistory_url = file:///{Profiles_folder}/formhistory.dat by doing mywin = window.open(cookies_url) and after a delay reading mywin.document.body.innerHTML I started making test code with that but its much more complex. As XMLHttpRequest had async=false option writing with that was easier
Comment 4•19 years ago
|
||
*** This bug has been marked as a duplicate of 230606 ***
Group: security
Status: UNCONFIRMED → RESOLVED
Closed: 19 years ago
Resolution: --- → DUPLICATE
Comment 5•19 years ago
|
||
> complexity of code is to find the "Profiles_folder" urls
no, I was referring to this "Ajax" class thingy...
(In reply to comment #5) > > complexity of code is to find the "Profiles_folder" urls > no, I was referring to this "Ajax" class thingy... the Ajax thing is just equvalent to function Ajax_thingy(url){ httpReq = new XMLHttpRequest(); httpReq.open("GET", url, false); httpReq.send(""); return httpReq.responseText; } I just used a common routine i had
You need to log in
before you can comment on or make changes to this bug.
Description
•