lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Tue, 9 Jun 2009 20:21:32 +0100
From: "Adrian P." <ap@...citizen.org>
To: pantera_bleed@...mail.com
Cc: bugtraq@...urityfocus.com
Subject: Re: XMLHttpRequest file upload vulnerability Chrome 2 & Safari 3

it's always been possible to steal local files if you can convince a
user to open a "harmless" html file from their local filesystem. this
is possible because the scripting code runs within local context (in
FF terminology - not sure what Safari calls it).

last time i checked [1] [2] FF didn't even issue a warning when
opening a local file with scripting code in it, although i haven't
checked in the case of Safari

[1] http://www.gnucitizen.org/blog/web-pages-from-hell-2/
[2] http://marc.info/?l=bugtraq&m=116386919506057&w=2

On Tue, Jun 9, 2009 at 5:33 PM, <pantera_bleed@...mail.com> wrote:
>
> .html can be crafted to force a unaware user to read file from local, and then possibly send it to a server.
>
> var method = "GET"
> var URL = "file:///C:/argentina/bsas_junin.txt"
> xmlhttp.open( method, URL, true)
>
> This type of request is possible if file is on user local  in the user hard disk (CHROME2), in other browser I was able to do the same but with a LAN access to file, no need to write in local hard disk (SAFARI3)
>
>
> if (xmlhttp != null) {
>        xmlhttp.open( method, URL, true)
>        xmlhttp.onreadystatechange=function(){
>        if (xmlhttp.readyState==4) {
>           alert(URL + "\n\n" + xmlhttp.responseText)
>                }
>                }
>        }
>
> this is a valid operation javascript can read then xmlhttp.responseText, yes the file content.
>
> After this you can do whatever you want whit the file.
>
> note that you MUST know the file path!!
>
> crafted by: federico.lanusse
> pantera_bleed@...mail.com
> federico.lanusse@...rolab.com
>
> company: clarolab QA team
> yeah! lets rock Ateam!!
>
> Chrome ISSUE, with attached POC.
> http://code.google.com/p/chromium/issues/detail?id=13671
>

Powered by blists - more mailing lists