Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [ MDVSA-2013:210 ] firefox

From: Georgi Guninski <guninski () guninski com>
Date: Thu, 8 Aug 2013 18:14:55 +0300


On Wed, Aug 07, 2013 at 04:48:22PM +0300, Georgi Guninski wrote:



On Wed, Aug 07, 2013 at 12:36:01PM +0200, security () mandriva com wrote:

 
 Security researcher Georgi Guninski reported an issue with Java



Just to clarify:  I haven't report _any_ "issues" to mozilla
since years...
They are not fast in fixing bugs, especially when involving
other vendors.
If I get pissed off, will try to find the dates about
the "issue" in question (suspect since at least 4 years).





looks like it's more than 4 years...

from their advisory appears it is bug #406541.

Here it is:

Date: Mon, 3 Dec 2007 01:43:10 -0800
From: bugzilla-daemon () mozilla org
To: 
Subject: [Bug 406541] New:
        local java applet may read arbitrary files under certain circumstances

Do not reply to this email.  You can add comments to this bug at
https://bugzilla.mozilla.org/show_bug.cgi?id=406541

           Summary: local java applet may read arbitrary files under certain
                    circumstances
           Product: Firefox
           Version: Trunk
          Platform: PC
        OS/Version: Linux
            Status: NEW
          Severity: normal
          Priority: --
         Component: Security
        AssignedTo: nobody () mozilla org
        ReportedBy: guninski () guninski com
         QAContact: firefox () security bugs


Created an attachment (id=291181)
 --> (https://bugzilla.mozilla.org/attachment.cgi?id=291181)
a1.java - compiled a1.class must be saved in
/tmp/DumbUglyB1llMarriedDumbUglyB1tch

recent trunk has restrictions on what local html can access

in bug 402998 Comment #8 someone with sun.com email asked to "post a test" for
local applet circumventing restrictions.

it is like beating a death horse, but here it is:

if the path of the locally saved applet is known at applet compile time, the
applet can read any file.

note that if the luser saves files in a single directory, a two stage attack
may be successful with high probability.

suppose the applet is saved in directory:
/tmp/DumbUglyB1llMarriedDumbUglyB1tch

it should be instantiated like this:
<applet codebase="file:///"
code="tmp.DumbUglyB1llMarriedDumbUglyB1tch.a1">
</applet>

and the applet should contain:
/*
 * This is the path to the applet filename:
 * */
package tmp.DumbUglyB1llMarriedDumbUglyB1tch;
public class a1 extends Applet {


--
Configure bugmail: https://bugzilla.mozilla.org/userprefs.cgi?tab=email

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: