Home page logo

bugtraq logo Bugtraq mailing list archives

Re: Disclosure of file system information in Mozilla Firefox and Opera Browser:
From: Liu Die Yu <liudieyu () umbrella name>
Date: Thu, 02 Dec 2004 09:49:06 +0800

Target user doesn't need to click the OPEN button:
1. Cross-site scripting vulnerabilities can get it done(on Mozilla, an internet page can't navigate to a local page directly ... but there are ways to bypass this restriction). 2. Ask target to open an HTML file in a remote SMBFS folder - expecting him to
mount -t smbfs [...] /mnt/[...]
and open "/mnt/[...].html" in Mozilla :-)

Attacker can *browse* target's folders and files(file content, filename, filesize, and even the date).



Giovanni Delvecchio wrote:

Title: Disclosure of file system information in Mozilla Firefox and Opera Browser

I don't know if it could be considered really a security problem, anyway i'll try to explain my ideas.
Sorry for my bad english.

Author: Giovanni Delvecchio

Bug: Disclosure of file system information

Applications affected:

- Firefox 1.0
- Mozilla 1.7
- Opera 7.54 (*)

( maybe also previous versions )

Tested versions:

- Firefox 1.0 on Linux and Windows
- Mozilla 1.7 on Windows
- Opera 7.51,..7.54 on Linux

The content of this advisory could be applied also to other browsers, i have checked just Mozilla, Firefox,Opera and Microsoft Internet Explorer.
Microsoft Internet Explorer seems not to be affected.

Bug Description:
A problem exist in some browsers where a frame can gain access to attributes of another frame or iframe. An application of this bug could be the possibility to disclose local directory structure.


------ begin code.htm -----


<body onLoad="

 //send list_files at malicious_server


<iframe name="local_files" src="file:///home/" height=0



------ end of code.htm -------

A malicious server could obtain the content of /home/ directory ( or c:\Document and Setting\ for windows system ) and so know a set of usernames present on system target. Moreover, colud be possible know if a particolar program is installed on target system for a succesive attack.

Anyway it cannot be exploited "directly" by a remote site, but only if the page is opened from a local path ( file://localpath/code.htm), since the iframe "local_files" belongs to a local domain.

Note: with Internet Explorer code.htm doesn't work even in local.

Possible Remote Exploitation:

How could a malicious remote user exploit it ?

After that the user "victim" has required http://maliciuos_server/code.htm, if malicious_server responds with a page containing an unknown Content-Type field ( for example text/html. ,note the dot) ,the browser will show a dialog window with some options (open, save, cancel). Choosing "Open" to view this page, it will be downloaded and opened in local ; javascript code will be executed in local context.
Obviously, if user chooses to save and after open it the result is equal.

(*) For Opera this method of remote exploitation requires that opera must be setted as Default Application in "handler for saved files" whether the user choose "Open" in the dialog window.

No solution at the moment

Vendor notice
24th November 2004: I have contacted mozilla by security () mozilla org
and Opera by its bug track page at https://bugs.opera.com/wizard/

No response from both at the moment.

Best regards,

Giovanni Delvecchio

Personalizza MSN Messenger con sfondi e fotografie! http://www.ilovemessenger.msn.it/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]