Closed
Bug 962017
Opened 11 years ago
Closed 11 years ago
[SECURITY VIOLATION] loopback access should be disallowed from global URIs
Categories
(Core :: Security, defect)
Core
Security
Tracking
()
RESOLVED
DUPLICATE
of bug 354493
People
(Reporter: yuri, Unassigned)
Details
User Agent: Mozilla/5.0 (X11; FreeBSD amd64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36
Steps to reproduce:
run this command: nc -l 1234
and access this URL
http://tortestprivacy.url.ph/
In it type 1234
nc will tell you that browser has connected.
Actual results:
Connection occurs through XMLHttpRequest
Expected results:
Browser should not allow cross-origin connections from global URIs to loopback and local IPs (IPs in local network classes).
Remote sites can obtain some information about the local to client system(s), or even potentially retrieve some URLs from the client LAN.
Issue exists in FF-26.
Summary: [SECURITY VIOLATION] loopback access should be disallowed from global URI origins → [SECURITY VIOLATION] loopback access should be disallowed from global URIs
|
||
Comment 1•11 years ago
|
||
Because of CORS ( http://www.w3.org/TR/cors/ ), Firefox will forward the request to the server - but not give the page the answer if the server's reply doesn't include the right CORS headers. I don't think this is a security issue.
Status: UNCONFIRMED → RESOLVED
Closed: 11 years ago
Resolution: --- → INVALID
But this is beyond the scope of CORS. Requesting the local/loopback IP from global URI is invalid, since this is an explicit request to get into the client LAN. LAN access from WAN is illegal. Browser should not even make a request to the LAN resource.
I have apache listening locally on port P1, and for this P1 port http://tortestprivacy.url.ph immediately tells me in green that "Port 444 CLOSED or there was a error during testing."
When nc listens on the next port P2, response is different: "readyState=1 status=0 statusText=" Timeout. Seems to be port 445is CLOSED.
So it still can learn something about LAN. This is unacceptable.
So I am reopening this case.
Status: RESOLVED → UNCONFIRMED
Resolution: INVALID → ---
Corresponding chrome PR: https://code.google.com/p/chromium/issues/detail?id=336371
CORS http://www.w3.org/TR/cors/ talks how server can accept or not accepr cross-origin requests using special http headers. However, this should only apply only from narrower to wider network direction. So it should apply for global->global, or LAN->global, or loopback->LAN, etc.
But cross-origin should never be allowed in these situations: global->LAN, global->loopback, LAN->loopback.
Browser should have special rule disallowing such cross-origin access as security violation.
|
||
Updated•11 years ago
|
Component: Untriaged → Security
Product: Firefox → Core
|
||
Comment 6•11 years ago
|
||
This is a duplicate. Please find the original bug and mark this a duplicate.
Whiteboard: DUPEME
|
|
||
Updated•11 years ago
|
Status: UNCONFIRMED → RESOLVED
Closed: 11 years ago → 11 years ago
Resolution: --- → DUPLICATE
Whiteboard: DUPEME
You need to log in
before you can comment on or make changes to this bug.
Description
•