Last Comment Bug 416318 - resource:// traversal allows stealing files from a local page
: resource:// traversal allows stealing files from a local page
Status: RESOLVED FIXED
: [sg:moderate]
: verified1.8.1.17, verified1.9.0.2
Product: Core
Classification: Components
Component: General
: Trunk
: x86 Linux
: -- normal (vote)
: ---
Assigned To: Daniel Veditz
: general
:
: CVE-2007-3073
:
  Show dependency treegraph
 
Reported: 2008-02-08 01:45 PST by georgi - hopefully not receiving bugspam
Modified: 2008-11-16 20:50 PST (History)
9 users (show)
dsicore: blocking1.9-
mbeltzner: blocking1.9.0.1-
dsicore: wanted1.9.0.x+
dveditz: blocking1.8.1.17+
dveditz: wanted1.8.1.x+
asac: blocking1.8.0.next?
See Also:
Crash Signature:


Attachments
sav1.html (501 bytes, text/html)
2008-02-08 01:45 PST, georgi - hopefully not receiving bugspam
no flags Details

Summon comment box

Description georgi - hopefully not receiving bugspam 2008-02-08 01:45:17 PST
Created attachment 302100 [details]
sav1.html

trunk has restrictions what local html can access.
this can be bypassed via resource:// traversal:
resource:///%2E%2E%2F%2E%2E%2F..%2F..%2F..%2F..%2F..%2Fproc/self/environ

saves the environment of firefox (containing the salty profile name)

later if the page is opened locally with |file| protocol, the file can
be read.

testcase reads /proc/self/environ (not that |self| is the pid of the
saving firefox)

requires saving a file => sg:moderate
Comment 1 Damon Sicore (:damons) 2008-03-10 17:40:34 PDT
Not blocking 1.9, but yes blocking 1.9.0.x.  Feel free to argue with me.
Comment 2 Mike Schroepfer 2008-06-24 20:07:10 PDT
Dan are you working on this?  If not can you suggest an alternate?
Comment 3 Daniel Veditz 2008-08-27 00:48:26 PDT
Fixed by bug 380994 on branches, not yet on mozilla-central
Comment 4 juan becerra [:juanb] 2008-08-29 15:13:17 PDT
Verified on Ubuntu 8.0.4:
Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.2) Gecko/2008082909 Firefox/3.0.2
Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.17) Gecko/2008082909 Firefox/2.0.0.17

In 20017/3.0.2 when I enter resource:///%2E%2E%2F%2E%2E%2F..%2F..%2F..%2F..%2F..%2Fproc/self/environ in the location bar I get a page load error.

In 20016/3.0.1 I was prompted to save a file.

Note You need to log in before you can comment on or make changes to this bug.