Closed
Bug 379243
Opened 17 years ago
Closed 14 years ago
download script (PHP/ASP) source code in certain conditions
Categories
(Firefox :: General, defect)
Tracking
()
RESOLVED
INCOMPLETE
People
(Reporter: redwing, Unassigned)
Details
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3 I found that if the cache was corrupted whilst loading a script and firefox shut down, whenever trying to access any page under that domain would allow you to download the source code of the script file used to generate the page. The problem is fixed by deleting the cache files, however, this could allow someone to maliciously gain control of a website by allowing them to download sensitive information (such as database username and password). Reproducible: Sometimes Steps to Reproduce: 1. Begin loading a website from a script (in my case PHP) 2. Instantly shut down the machine whilst it is loading, power off. (Or manually corrupt the cache yourself) 3. Reload the script under the browser without restoring the session Actual Results: Allows the download of script files direct from the webserver as firefox now seems unable to recognise "application/x-httpd" files from the webserver. Expected Results: Firefox should not allow me access to the source code. The page should have displayed properly. OS: Windows Vista Business Edition Theme: Aeroglass
Reporter | ||
Updated•17 years ago
|
Summary: download script (PHP/ASP) source code if cache corrupt → download script (PHP/ASP) source code in certain conditions
Comment 1•17 years ago
|
||
For Firefox to get access to the site's source code, the server has to be sending it, and if the server is sending code instead of executing it, then that's a server-side problem, not a local Firefox problem. Firefox - corrupt cache or not - can't see things that the server doesn't send it, so this isn't a Firefox security issue. Can you provide an example link of a site that behaves differently after the cache is "corrupted"?
Group: security
Updated•17 years ago
|
Severity: critical → normal
Version: unspecified → 2.0 Branch
Reporter | ||
Comment 2•17 years ago
|
||
An example is http://www.dogsofwarclan.co.uk Heading there after the "corruption" allowed me to download the source code of the files. But only for that domain. Attempts to access it from the fully qualified domain (http://www.zyned.com/dow/) were successful in retreaving HTML, however, the site layout was incorrect and did not display properly. Other people accessing the site at the same time did so without trouble. I was also careful to check the server configuration and performed multiple attempts at accessing the source code over different files, including ones not in the cache.
Comment 3•17 years ago
|
||
that was probably a server overflow problem. do you see that problem on other sites?
Comment 4•14 years ago
|
||
This bug was reported on Firefox 2.x or older, which is no longer supported and will not be receiving any more updates. I strongly suggest that you update to Firefox 3.6.3 or later, update your plugins (flash, adobe, etc.), and retest in a new profile. If you still see the issue with the updated Firefox, please post here. Otherwise, please close as RESOLVED > WORKSFORME http://www.mozilla.com http://support.mozilla.com/kb/Managing+profiles http://support.mozilla.com/kb/Safe+mode
Comment 5•14 years ago
|
||
No reply, INCOMPLETE. Please retest with Firefox 3.6.x or later and a new profile (http://support.mozilla.com/kb/Managing+profiles). If you continue to see this issue with the newest firefox and a new profile, then please comment on this bug.
Status: UNCONFIRMED → RESOLVED
Closed: 14 years ago
Resolution: --- → INCOMPLETE
You need to log in
before you can comment on or make changes to this bug.
Description
•