Last Comment Bug 394075 - Resource Directory Traversal Vulnerability
: Resource Directory Traversal Vulnerability
Status: RESOLVED FIXED
: [sg:nse] fix in bug 380994
: verified1.8.1.17, verified1.9.0.2
Product: Firefox
Classification: Client Software
Component: Security
: unspecified
: All All
: -- normal with 1 vote (vote)
: ---
Assigned To: Daniel Veditz
: firefox
: http://www.0x000000.com/?i=422
: CVE-2007-3073
:
  Show dependency treegraph
 
Reported: 2007-08-28 15:36 PDT by Marco
Modified: 2008-09-30 22:47 PDT (History)
22 users (show)
asac: blocking1.8.0.next+
See Also:
Crash Signature:


Attachments

Summon comment box

Description Marco 2007-08-28 15:36:23 PDT
User-Agent:       Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; it; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6
Build Identifier: Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; it; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6

Classical Traversal Vulnerability, maybe someone forgot some filters ...
It could be dangerous if someone open a "well forged" page.

Reproducible: Always

Steps to Reproduce:
1.Write this "resource:///%2e%2e" (Without ") in your UR
2.
3.
Actual Results:  
You can navigate  your file system !

Expected Results:  
The software forgets some filters in resource procedure
Comment 1 Daniel Veditz 2007-08-28 15:52:46 PDT
Posted on a well-read blog at http://www.0x000000.com/?i=422 so no point in a hidden bug --> unhiding.

if you put a slash after that it doesn't work so you can't actually load any files that way or traverse higher. The result is surprising, bad, but not clear this is an actual vulnerability since other sites won't be able to read the directory listing.
Comment 2 Marco 2007-08-28 16:00:46 PDT
OK, thank you.
I have never read http://www.0x000000.com/?i=422, I use frequently resource:/// :-).

Only for help your wonderful  project.
Comment 3 Jesse Ruderman 2008-01-22 11:20:26 PST
See also bug 413250, a similar-sounding bug for chrome: URLs.
Comment 4 Daniel Veditz 2008-08-26 19:54:50 PDT
The latest patch in bug 380994 fixes this case as well.

We never found an actual exploit for this.
Comment 5 Gregory Fleischer 2008-08-26 20:49:55 PDT
Bug 417400 has an example attack.  At a minimum, this could be used to compromise user privacy.
Comment 6 juan becerra [:juanb] 2008-08-29 12:01:06 PDT
When I enter "resource:///%2e%2e" in Fx20016 I can see the contents of my install directory, and I can navigate all the way up to C: (or file:///Applications/ in Mac). I also see this in Fx20017build2.
Comment 7 juan becerra [:juanb] 2008-08-29 14:10:17 PDT
Talked to dveditz and he explained the expected results. Verified with latest build candidates of 2.0.0.17 and 3.0.2. When I type "resource:///%2e%2e" in the location bar I see the contents of these directories:

On 20016
Index of file:///C:/Program Files/Mozilla Firefox/..
Index of file:///Users/user/Desktop/Firefox.app/Contents/MacOS/.. 
Index of file:///home/mozilla/Desktop/firefox/..

On 20017build2 candidates
Index of file:///C:/Program Files/Mozilla Firefox/
Index of file:///Users/user/Desktop/Firefox.app/Contents/MacOS/
Index of file:///home/mozilla/Desktop/firefox/

On 3.0.1
Index of file:///C:/Program Files/Mozilla Firefox/..
Index of file:///Users/user/Desktop/Firefox.app/Contents/MacOS/..
Index of file:///home/mozilla/Desktop/firefox/..

On 3.0.2build3 candidates
Index of file:///C:/Program Files/Mozilla Firefox/
Index of file:///Users/user/Desktop/Firefox.app/Contents/MacOS/
Index of file:///home/mozilla/Desktop/firefox/
Comment 8 Alexander Sack 2008-08-31 06:56:43 PDT
we should verify this on 1.8.0.15

Note You need to log in before you can comment on or make changes to this bug.