Bugzilla@Mozilla – Bug 394075
Resource Directory Traversal Vulnerability
Last modified: 2008-09-30 22:47:31 PDT
Summon comment box
User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; it; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6 Build Identifier: Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; it; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6 Classical Traversal Vulnerability, maybe someone forgot some filters ... It could be dangerous if someone open a "well forged" page. Reproducible: Always Steps to Reproduce: 1.Write this "resource:///%2e%2e" (Without ") in your UR 2. 3. Actual Results: You can navigate your file system ! Expected Results: The software forgets some filters in resource procedure
Posted on a well-read blog at http://www.0x000000.com/?i=422 so no point in a hidden bug --> unhiding. if you put a slash after that it doesn't work so you can't actually load any files that way or traverse higher. The result is surprising, bad, but not clear this is an actual vulnerability since other sites won't be able to read the directory listing.
OK, thank you. I have never read http://www.0x000000.com/?i=422, I use frequently resource:/// :-). Only for help your wonderful project.
See also bug 413250, a similar-sounding bug for chrome: URLs.
The latest patch in bug 380994 fixes this case as well. We never found an actual exploit for this.
Bug 417400 has an example attack. At a minimum, this could be used to compromise user privacy.
When I enter "resource:///%2e%2e" in Fx20016 I can see the contents of my install directory, and I can navigate all the way up to C: (or file:///Applications/ in Mac). I also see this in Fx20017build2.
Talked to dveditz and he explained the expected results. Verified with latest build candidates of 2.0.0.17 and 3.0.2. When I type "resource:///%2e%2e" in the location bar I see the contents of these directories: On 20016 Index of file:///C:/Program Files/Mozilla Firefox/.. Index of file:///Users/user/Desktop/Firefox.app/Contents/MacOS/.. Index of file:///home/mozilla/Desktop/firefox/.. On 20017build2 candidates Index of file:///C:/Program Files/Mozilla Firefox/ Index of file:///Users/user/Desktop/Firefox.app/Contents/MacOS/ Index of file:///home/mozilla/Desktop/firefox/ On 3.0.1 Index of file:///C:/Program Files/Mozilla Firefox/.. Index of file:///Users/user/Desktop/Firefox.app/Contents/MacOS/.. Index of file:///home/mozilla/Desktop/firefox/.. On 3.0.2build3 candidates Index of file:///C:/Program Files/Mozilla Firefox/ Index of file:///Users/user/Desktop/Firefox.app/Contents/MacOS/ Index of file:///home/mozilla/Desktop/firefox/
we should verify this on 1.8.0.15
bug 380994 checked in: http://hg.mozilla.org/mozilla-central/rev/6dad95d60106 http://hg.mozilla.org/mozilla-central/rev/1eccc541661c