Re: XMLHttpRequest file upload vulnerability Chrome 2 & Safari 3
it's always been possible to steal local files if you can convince a
user to open a "harmless" html file from their local filesystem. this
is possible because the scripting code runs within local context (in
FF terminology - not sure what Safari calls it).
last time i checked [1] [2] FF didn't even issue a warning when
opening a local file with scripting code in it, although i haven't
checked in the case of Safari
[1] http://www.gnucitizen.org/blog/web-pages-from-hell-2/
[2] http://marc.info/?l=3Dbugtraq&m=3D116386919506057&w=3D2
On Tue, Jun 9, 2009 at 5:33 PM, <pantera_bleed@hotmail.com> wrote:
>
> .html can be crafted to force a unaware user to read file from local, and=
then possibly send it to a server.
>
> var method =3D "GET"
> var URL =3D "file:///C:/argentina/bsas_junin.txt"
> xmlhttp.open( method, URL, true)
>
> This type of request is possible if file is on user local =A0in the user =
hard disk (CHROME2), in other browser I was able to do the same but with a =
LAN access to file, no need to write in local hard disk (SAFARI3)
>
>
> if (xmlhttp !=3D null) {
> =A0 =A0 =A0 =A0xmlhttp.open( method, URL, true)
> =A0 =A0 =A0 =A0xmlhttp.onreadystatechange=3Dfunction(){
> =A0 =A0 =A0 =A0if (xmlhttp.readyState=3D=3D4) {
> =A0 =A0 =A0 =A0 =A0 alert(URL + "\n\n" + xmlhttp.responseText)
> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0}
> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0}
> =A0 =A0 =A0 =A0}
>
> this is a valid operation javascript can read then xmlhttp.responseText, =
yes the file content.
>
> After this you can do whatever you want whit the file.
>
> note that you MUST know the file path!!
>
> crafted by: federico.lanusse
> pantera_bleed@hotmail.com
> federico.lanusse@clarolab.com
>
> company: clarolab QA team
> yeah! lets rock Ateam!!
>
> Chrome ISSUE, with attached POC.
> http://code.google.com/p/chromium/issues/detail?id=3D13671
>
討論串 (同標題文章)
完整討論串 (本文為第 2 之 3 篇):