Resource Directory Traversal Vulnerability

RESOLVED FIXED

Status

()

RESOLVED FIXED
11 years ago
10 years ago

People

(Reporter: mramilli, Assigned: dveditz)

Tracking

({verified1.8.1.17, verified1.9.0.2})

unspecified
verified1.8.1.17, verified1.9.0.2
Points:
---
Bug Flags:
blocking1.8.0.next +

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [sg:nse] fix in bug 380994, URL)

(Reporter)

Description

11 years ago
User-Agent:       Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; it; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6
Build Identifier: Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; it; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6

Classical Traversal Vulnerability, maybe someone forgot some filters ...
It could be dangerous if someone open a "well forged" page.

Reproducible: Always

Steps to Reproduce:
1.Write this "resource:///%2e%2e" (Without ") in your UR
2.
3.
Actual Results:  
You can navigate  your file system !

Expected Results:  
The software forgets some filters in resource procedure
Posted on a well-read blog at http://www.0x000000.com/?i=422 so no point in a hidden bug --> unhiding.

if you put a slash after that it doesn't work so you can't actually load any files that way or traverse higher. The result is surprising, bad, but not clear this is an actual vulnerability since other sites won't be able to read the directory listing.
Group: security
Status: UNCONFIRMED → NEW
Ever confirmed: true
Whiteboard: [sg:investigate]
(Reporter)

Comment 2

11 years ago
OK, thank you.
I have never read http://www.0x000000.com/?i=422, I use frequently resource:/// :-).

Only for help your wonderful  project.

Comment 3

11 years ago
See also bug 413250, a similar-sounding bug for chrome: URLs.
Depends on: 380994
The latest patch in bug 380994 fixes this case as well.

We never found an actual exploit for this.
Assignee: nobody → dveditz
Whiteboard: [sg:investigate] → [sg:nse] fix in bug 380994

Comment 5

10 years ago
Bug 417400 has an example attack.  At a minimum, this could be used to compromise user privacy.
Keywords: fixed1.8.1.17, fixed1.9.0.2

Comment 6

10 years ago
When I enter "resource:///%2e%2e" in Fx20016 I can see the contents of my install directory, and I can navigate all the way up to C: (or file:///Applications/ in Mac). I also see this in Fx20017build2.

Comment 7

10 years ago
Talked to dveditz and he explained the expected results. Verified with latest build candidates of 2.0.0.17 and 3.0.2. When I type "resource:///%2e%2e" in the location bar I see the contents of these directories:

On 20016
Index of file:///C:/Program Files/Mozilla Firefox/..
Index of file:///Users/user/Desktop/Firefox.app/Contents/MacOS/.. 
Index of file:///home/mozilla/Desktop/firefox/..

On 20017build2 candidates
Index of file:///C:/Program Files/Mozilla Firefox/
Index of file:///Users/user/Desktop/Firefox.app/Contents/MacOS/
Index of file:///home/mozilla/Desktop/firefox/

On 3.0.1
Index of file:///C:/Program Files/Mozilla Firefox/..
Index of file:///Users/user/Desktop/Firefox.app/Contents/MacOS/..
Index of file:///home/mozilla/Desktop/firefox/..

On 3.0.2build3 candidates
Index of file:///C:/Program Files/Mozilla Firefox/
Index of file:///Users/user/Desktop/Firefox.app/Contents/MacOS/
Index of file:///home/mozilla/Desktop/firefox/
Keywords: fixed1.8.1.17, fixed1.9.0.2 → verified1.8.1.17, verified1.9.0.2

Comment 8

10 years ago
we should verify this on 1.8.0.15
Flags: blocking1.8.0.15+
bug 380994 checked in:
http://hg.mozilla.org/mozilla-central/rev/6dad95d60106
http://hg.mozilla.org/mozilla-central/rev/1eccc541661c
Status: NEW → RESOLVED
Last Resolved: 10 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.