Closed
Bug 417400
Opened 17 years ago
Closed 16 years ago
Resource Directory Traversal Vulnerability - Mac OS X and Linux Example
Categories
(Core :: Security, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: gfleischer+bugzilla, Assigned: dveditz)
Details
(Keywords: verified1.8.1.17, verified1.9.0.2, Whiteboard: [sg:dupe 380994])
Attachments
(1 file)
User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.8.1.12) Gecko/20080201 Firefox/2.0.0.12
Build Identifier: Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.8.1.12) Gecko/20080201 Firefox/2.0.0.12
On Mac OS X and Linux, the "resource:///" directory traversal described in bug 394075 can be used to reach any file on the file system.
Because there is a different error returned for JavaScript for non-existent files versus files that have syntax errors, a brute-force attack could be mounted to determine the OS user name by attempting to source script files from their home directory.
If the operating system user name can be brute-forced (or otherwise determined) and the profile value determined through an information leak, the "sessionstore.js" file can be read if it is stored in the default location.
Reproducible: Always
Steps to Reproduce:
1.
2.
3.
Reporter | ||
Comment 1•17 years ago
|
||
If the OS user name and profile value can be determined, it is possible to read the sessionstore.js file.
Note also that different errors are returned for invalid (or unreachable) user name values compared to users that exist.
Assignee | ||
Comment 2•17 years ago
|
||
This is basically a dupe of bug 380994, customized with a juicy target from flat-chrome traversal bug. Very clever attempt to read the salted profile name. Another way to get that name is sometimes it can be read from uncaught exceptions thrown by addon components (not code in chrome URIs which isn't going to help much, but accompanying javascript XPCOM components which will have file: URIs in the error).
Whiteboard: [sg:dupe 380994]
Updated•17 years ago
|
Assignee: nobody → dveditz
Product: Firefox → Core
QA Contact: firefox → toolkit
Assignee | ||
Comment 3•16 years ago
|
||
Fix for bug 380994 checked into 1.8 and 1.9.0 branches
Keywords: fixed1.8.1.17,
fixed1.9.0.2
Assignee | ||
Updated•16 years ago
|
Status: UNCONFIRMED → NEW
Ever confirmed: true
Comment 4•16 years ago
|
||
Verified on latest Mac/Linux build candidates for 20017 and 3.0.2 using test case in comment #1. When running the test case on 20016 and 3.0.1 I could see the contents my sessionstore.js file, on 20017 and 3.0.2 nothing happens.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.17) Gecko/2008082909 Firefox/2.0.0.17
Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.17) Gecko/2008082909 Firefox/2.0.0.17
Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.4; en-US; rv:1.9.0.2) Gecko/2008082909 Firefox/3.0.2
Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.2) Gecko/2008082909 Firefox/3.0.2
Assignee | ||
Updated•16 years ago
|
Group: core-security
Assignee | ||
Comment 5•16 years ago
|
||
bug 380994 checked in:
http://hg.mozilla.org/mozilla-central/rev/6dad95d60106
http://hg.mozilla.org/mozilla-central/rev/1eccc541661c
Status: NEW → RESOLVED
Closed: 16 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•