Re: XMLHttpRequest file upload vulnerability Chrome 2 & Safari 3

From: Adrian P. <ap@gnucitizen.org>
To: pantera_bleed@hotmail.com
Cc: bugtraq@securityfocus.com
Subject: Re: XMLHttpRequest file upload vulnerability Chrome 2 & Safari 3
Date:


it's always been possible to steal local files if you can convince a
user to open a "harmless" html file from their local filesystem. this
is possible because the scripting code runs within local context (in
FF terminology - not sure what Safari calls it).

last time i checked [1] [2] FF didn't even issue a warning when
opening a local file with scripting code in it, although i haven't
checked in the case of Safari

[1] http://www.gnucitizen.org/blog/web-pages-from-hell-2/
[2] http://marc.info/?l=bugtraq&m=116386919506057&w=2

On Tue, Jun 9, 2009 at 5:33 PM, <pantera_bleed@hotmail.com> wrote:
>
> .html can be crafted to force a unaware user to read file from local, and then possibly send it to a server.
>
> var method = "GET"
> var URL = "file:///C:/argentina/bsas_junin.txt"
> xmlhttp.open( method, URL, true)
>
> This type of request is possible if file is on user local in the user hard disk (CHROME2), in other browser I was able to do the same but with a LAN access to file, no need to write in local hard disk (SAFARI3)
>
>
> if (xmlhttp != null) {
>    xmlhttp.open( method, URL, true)
>    xmlhttp.onreadystatechange=function(){
>    if (xmlhttp.readyState==4) {
>      alert(URL + "\n\n" + xmlhttp.responseText)
>        }
>        }
>    }
>
> this is a valid operation javascript can read then xmlhttp.responseText, yes the file content.
>
> After this you can do whatever you want whit the file.
>
> note that you MUST know the file path!!
>
> crafted by: federico.lanusse
> pantera_bleed@hotmail.com
> federico.lanusse@clarolab.com
>
> company: clarolab QA team
> yeah! lets rock Ateam!!
>
> Chrome ISSUE, with attached POC.
> http://code.google.com/p/chromium/issues/detail?id=13671
>





Copyright © 1995-2018 LinuxRocket.net. All rights reserved.