[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: XMLHttpRequest file upload vulnerability Chrome 2 & Safari 3



it's always been possible to steal local files if you can convince a
user to open a "harmless" html file from their local filesystem. this
is possible because the scripting code runs within local context (in
FF terminology - not sure what Safari calls it).

last time i checked [1] [2] FF didn't even issue a warning when
opening a local file with scripting code in it, although i haven't
checked in the case of Safari

[1] http://www.gnucitizen.org/blog/web-pages-from-hell-2/
[2] http://marc.info/?l=bugtraq&m=116386919506057&w=2

On Tue, Jun 9, 2009 at 5:33 PM, <pantera_bleed@xxxxxxxxxxx> wrote:
>
> .html can be crafted to force a unaware user to read file from local, and then possibly send it to a server.
>
> var method = "GET"
> var URL = "file:///C:/argentina/bsas_junin.txt"
> xmlhttp.open( method, URL, true)
>
> This type of request is possible if file is on user local  in the user hard disk (CHROME2), in other browser I was able to do the same but with a LAN access to file, no need to write in local hard disk (SAFARI3)
>
>
> if (xmlhttp != null) {
>        xmlhttp.open( method, URL, true)
>        xmlhttp.onreadystatechange=function(){
>        if (xmlhttp.readyState==4) {
>           alert(URL + "\n\n" + xmlhttp.responseText)
>                }
>                }
>        }
>
> this is a valid operation javascript can read then xmlhttp.responseText, yes the file content.
>
> After this you can do whatever you want whit the file.
>
> note that you MUST know the file path!!
>
> crafted by: federico.lanusse
> pantera_bleed@xxxxxxxxxxx
> federico.lanusse@xxxxxxxxxxxx
>
> company: clarolab QA team
> yeah! lets rock Ateam!!
>
> Chrome ISSUE, with attached POC.
> http://code.google.com/p/chromium/issues/detail?id=13671
>