[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [Full-Disclosure] Disclosure of local file content in Mozilla Firefox and Opera

To: full-disclosure@xxxxxxxxxxxxxxxx
Subject: RE: [Full-Disclosure] Disclosure of local file content in Mozilla Firefox and Opera
From: "Giovanni Delvecchio" <badpenguin79@xxxxxxxxxxx>
Date: Mon, 06 Dec 2004 23:50:35 +0000

Which you wrote is correct, indeed i have specified in my message:

Anyway it cannot be exploited "directly" by a remote site, but only if the page is opened from a local path ( file://localpath/code.htm), since the iframe belongs to a local domain.

Note: with Internet Explorer these PoCs doesn't work even in local.

My target was explain how a remote user could take advantage by this feature. I illustrated also a possible method of remote exploitation.

But at this point i have a question: if it is a normal behavior, why in Ms Internet Explorer i cannot reproduce this problem even in local zone? Maybe different implementation? IMHO it's strange.


Regards,
Giovanni Delvecchio

This is not a vulnerability, it is expected behavior.

Mozilla shares the same zone design as IE which means that a file from the local file zone can read any other file from the local file zone. You cannot use this approach to read a local file from another zone such as the Internet zone. From the Internet zone, you can also only read the content of files from the same zone, same protocol and same domain.

I agree that Mozilla has implemented quite a lot of proprietary IE extensions which it should have not done, however reading the innerHTML of an element through document.all does not circumvent the traditional zone security checks already in place.

Regards
Thor Larholm
Senior Security Researcher
PivX Solutions
23 Corporate Plaza #280
Newport Beach, CA 92660
http://www.pivx.com
thor@xxxxxxxx
Stock symbol: (PIVX.OB)
Phone: +1 (949) 231-8496
PGP: 0x4207AEE9
B5AB D1A4 D4FD 5731 89D6  20CD 5BDB 3D99 4207 AEE9
PivX defines a new genre in Desktop Security: Proactive Threat Mitigation.
<http://www.pivx.com/qwikfix>


_________________________________________________________________
Scarica gratuitamente MSN Toolbar! http://toolbar.msn.it/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

References:
- RE: [Full-Disclosure] Disclosure of local file content in Mozilla Firefox and Opera
  - From: Thor Larholm

Prev by Date: Re: [Full-Disclosure] [Advisory] Mozilla Products Remote Crash Vulnerability
Next by Date: [Full-Disclosure] MDKSA-2004:146 - Updated nfs-utils packages fix remote DoS vulnerability
Previous by thread: RE: [Full-Disclosure] Disclosure of local file content in Mozilla Firefox and Opera
Next by thread: [Full-Disclosure] [Advisory] Mozilla Products Remote Crash Vulnerability
Index(es):
- Date
- Thread