Closed Bug 367428 (CVE-2007-3072) Opened 13 years ago Closed 13 years ago

resource:// directory traversal


(Core :: Networking, defect, P1)

Windows XP





(Reporter: sync2d, Assigned: benjamin)



(Keywords: fixed1.8.0.12, privacy, verified1.8.1.4, Whiteboard: [sg:low])


(4 files, 1 obsolete file)

Attached file testcase
resource://gre/../../../../boot.ini => Firefox can't find the file at /boot.ini.
resource://gre/..\..\..\..\boot.ini => File loads successfully.

This bug can be used to check existence of local files
since resource:// and file:// have different restrictions.

Mozilla/5.0 (Windows; U; Win98; en-US; rv:
Gecko/20070117 BonEcho/
Flags: wanted1.8.1.x?
Flags: wanted1.8.0.x?
Flags: blocking1.9?
Darin, biesi: this behavior is/was being prevented in the forward-slash case by net_CoalesceDirs ( Perhaps we can just fail if there are any backslashes at all in the resource URL?
Assignee: nobody → benjamin
Flags: blocking1.9? → blocking1.9+
Attached patch Don't allow backslash, rev. 1 (obsolete) — Splinter Review
Attachment #253222 - Flags: review?
Attachment #253222 - Flags: review? → review?(darin.moz)
Comment on attachment 253222 [details] [diff] [review]
Don't allow backslash, rev. 1

you don't need double backslashes in JavaScript?
Indeed I do
Attachment #253222 - Attachment is obsolete: true
Attachment #253328 - Flags: review?(darin.moz)
Attachment #253222 - Flags: review?(darin.moz)
Attachment #253328 - Flags: review?(darin.moz) → review?(cbiesinger)
Priority: -- → P1
Target Milestone: --- → mozilla1.8.1
Attachment #253328 - Flags: review?(cbiesinger) → review+
Comment on attachment 253328 [details] [diff] [review]
Don't allow backslash, rev. 1.1

Very low-risk security patch.
Attachment #253328 - Flags: approval1.8.1.3?
Attachment #253328 - Flags: approval1.8.0.11?
Fixed on trunk.
Closed: 13 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
Comment on attachment 253328 [details] [diff] [review]
Don't allow backslash, rev. 1.1

This is incorrect, as it doesn't deal with %5C correctly.
Attachment #253328 - Flags: approval1.8.1.3?
Attachment #253328 - Flags: approval1.8.0.11?
Resolution: FIXED → ---
Attachment #256468 - Flags: review?(cbiesinger)
Attachment #256468 - Flags: review?(cbiesinger) → review+
Attachment #256470 - Flags: approval1.8.1.3?
Attachment #256470 - Flags: approval1.8.0.11?
Fixed on trunk, and the testcase even passes ;-)
Closed: 13 years ago13 years ago
Resolution: --- → FIXED
Whiteboard: [sg:low]
Flags: wanted1.8.1.x?
Flags: wanted1.8.1.x+
Flags: wanted1.8.0.x?
Flags: wanted1.8.0.x+
Flags: blocking1.8.1.4?
Flags: blocking1.8.0.12?
Flags: blocking1.8.1.4?
Flags: blocking1.8.1.4+
Flags: blocking1.8.0.12?
Flags: blocking1.8.0.12+
Comment on attachment 256470 [details] [diff] [review]
Rollup patch for branches, rev. 1

approved for and, a=dveditz for release-drivers
Attachment #256470 - Flags: approval1.8.1.4?
Attachment #256470 - Flags: approval1.8.1.4+
Attachment #256470 - Flags: approval1.8.0.12?
Attachment #256470 - Flags: approval1.8.0.12+
v.fixed on 1.8 branch with rc2 build Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv: Gecko/20070509 Firefox/
Please see bug 380994 for a part of this problem that was missed...
Given this has been discussed in public I'm opening this bug 
Group: security
Unless I'm missing something, the patches above only addresses this problem on Windows.  There's a very similar bug on Mac OS X (and, I'd assume, any *nix) with escaped forward slashes -- URLs of the form "resource:///..%2F..%2F..%2F..%2FUsers" can traverse the entire directory structure.  

I can successfully and consistently exploit this on Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv: Gecko/20070309 Firefox/ -- it's pretty straightforward, but please email me if you'd like PoC code.

My apologies if the OS X bug has already been patched elsewhere, or if it is not related to this bug.  I searched bugzilla, but didn't turn up any other bugs that seem relevant.

I vote to reopen this bug.

I can reproduce Sam's findings as well. This affects more than just Windows XP and the provided patch does not address the vulnerability on OS X and Linux.
That is bug 380994
Depends on: CVE-2007-3073
Does bug 380994 address the vulnerability in as well? I don't have access to verify.
That bug covers all the branches.
Depends on: 382558
No longer depends on: 382558
Depends on: 382558
Alias: CVE-2007-3072
You need to log in before you can comment on or make changes to this bug.