lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Thu, 8 Aug 2013 18:14:55 +0300
From: Georgi Guninski <guninski@...inski.com>
To: security@...driva.com
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: [ MDVSA-2013:210 ] firefox



On Wed, Aug 07, 2013 at 04:48:22PM +0300, Georgi Guninski wrote:
> 
> 
> On Wed, Aug 07, 2013 at 12:36:01PM +0200, security@...driva.com wrote:
> >  
> >  Security researcher Georgi Guninski reported an issue with Java
> 
> 
> Just to clarify:  I haven't report _any_ "issues" to mozilla
> since years...
> They are not fast in fixing bugs, especially when involving
> other vendors.
> If I get pissed off, will try to find the dates about
> the "issue" in question (suspect since at least 4 years).
> 
> 
>

looks like it's more than 4 years...

from their advisory appears it is bug #406541.

Here it is:

Date: Mon, 3 Dec 2007 01:43:10 -0800
From: bugzilla-daemon@...illa.org
To: 
Subject: [Bug 406541] New:
        local java applet may read arbitrary files under certain circumstances

Do not reply to this email.  You can add comments to this bug at
https://bugzilla.mozilla.org/show_bug.cgi?id=406541

           Summary: local java applet may read arbitrary files under certain
                    circumstances
           Product: Firefox
           Version: Trunk
          Platform: PC
        OS/Version: Linux
            Status: NEW
          Severity: normal
          Priority: --
         Component: Security
        AssignedTo: nobody@...illa.org
        ReportedBy: guninski@...inski.com
         QAContact: firefox@...urity.bugs


Created an attachment (id=291181)
 --> (https://bugzilla.mozilla.org/attachment.cgi?id=291181)
a1.java - compiled a1.class must be saved in
/tmp/DumbUglyB1llMarriedDumbUglyB1tch

recent trunk has restrictions on what local html can access

in bug 402998 Comment #8 someone with sun.com email asked to "post a test" for
local applet circumventing restrictions.

it is like beating a death horse, but here it is:

if the path of the locally saved applet is known at applet compile time, the
applet can read any file.

note that if the luser saves files in a single directory, a two stage attack
may be successful with high probability.

suppose the applet is saved in directory:
/tmp/DumbUglyB1llMarriedDumbUglyB1tch

it should be instantiated like this:
<applet codebase="file:///"
code="tmp.DumbUglyB1llMarriedDumbUglyB1tch.a1">
</applet>

and the applet should contain:
/*
 * This is the path to the applet filename:
 * */
package tmp.DumbUglyB1llMarriedDumbUglyB1tch;
public class a1 extends Applet {


--
Configure bugmail: https://bugzilla.mozilla.org/userprefs.cgi?tab=email

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists