HTML file input element accepting directories as its input opens “Select Folder to Upload” window in a bad way.

In the opened window, “Upload" button is auto-focused, Desktop is the default directory and there is no warning about the action.

It is possible to read local files and directories and get their details just by holding down the ENTER key for a short while.

I have attached Firefox_Stealing_LocalFiles.zip file containing all information about the issue.

Extract the zip file.It contains:
1-Full report about the issue.
2-Proof of concept codes.
3-Video files.

Regards.

As the server got error,I uploaded the file in RAR format and in two parts.

Extract the RAR files.It contains:
1-Full report about the issue.
2-Proof of concept codes.
3-Video files.

Please include a full description of the issue as a comment in the actual bugreport instead of attaching huge archives just to read a description of the issue you're trying to claim a bounty for.

FWIW, without seeing a full description, this looks like a dupe of bug 1338637 to me.

                                     Mozilla Firefox stealing local files vulnerability

Summary:
HTML file input element accepting directories as its input opens “Select Folder to Upload” window in a bad way.
In the opened window, “Upload" button is auto-focused, Desktop is the default directory and there is no warning about the action.
It is possible to read local files and directories and get their details just by holding down the ENTER key for a short while.

Tested On:
o Mozilla Firefox 64.0(64-bit) for Desktop on Linux (Debian 9)
o Mozilla Firefox 64.0(32-bit) for Desktop on Windows 10
o Mozilla Firefox 64.0.2(32-bit) for Desktop on Windows 10
o Other versions may be affected.

Description:
HTML file input element accepts two types as its input:
• Files
• Folders

Here are examples. This file input accepts files as its input:
<input type="file" id="file">
And this one accepts folders:
<input type="file" webkitdirectory="" id="file">

When you click a file input (“Browse…” button), the browser opens a window asking you to choose the files/folders you want to share with the web application.

As you can see:
 Desktop directory is the default directory of an Upload Window when it’s opened for the first time from a new origin you have visited.

 There are two buttons that help you to decide what you want to do:
o “Cancel” button: To cancel the request and close the window.

o “Upload” button: To pass the selected files/folders to the file input.

Here are the security issues:
 Desktop is the most used directory for many of people as we can access it easily. We usually place our files/folders in the Desktop directory so many of files containing sensitive information are stored in this directory.

 “Upload” button is focused automatically. It’s dangerous. When there are “Yes” and “No” options and choosing “Yes” may be harmful, it’s better to warn the user about what actually he is doing or focus on “No” automatically.

(Note: Browsers on Mobile devices handle file inputs in a different way. Above security issues are about Desktop versions.)

Proof of Concept:
The mentioned security issues can be exploited easily to steal sensitive files.
All we need to exploit them are these simple steps:

1-We ask the user to hold down the Enter key for a short while. Many online games and text editors do it.
2- JavaScript codes click the file input as Enter key is held down.
3- “Upload Window” is opened, “Upload” button is focused automatically and Enter key is held down.
What happens is giving the page access to read the selected files/folders just in a few milliseconds.

The above steps in Code language:

I have provided an HTML file (demo.html file in the current directory) that you can test it:

  1-Open the file with Mozilla Firefox.
  2-Press Enter key for 5 seconds.
  3-Bing!
  4-You can try it again after 2 seconds.

Also I have provided a better exploit file (exploit.php in the current directory) to show how an attacker can steal files/folders and upload them to his server, detect what applications are installed on the local system or detect what OS username is.

To test exploit.php:

0- You can edit JavaScript CheckFiles() function of exploit.php file to specify certain files you want to be uploaded:

1- Upload exploit.php file to your web server.
2- Browse the uploaded file from Mozilla Firefox
3- Hold down the Enter key for a short while.
4- Check StolenFiles directory in your web server to be sure that your local files were uploaded to the web server.

I have provided two video files (poc_linux.mp4 and poc_windows.mp4 in the current directory) that shows how to test exploit.php and how it works. These videos may help you.

Mentioned security bugs can be exploited for:

 Theft of files from local system
o Attackers can read local files/folders and get their details.

 Disclosure of OS usernames.
o It’s possible to get OS usernames if the last file uploaded to the server before running the exploit codes was from home directory of the victim.

 Disclosure of local files.
o Attackers can find out what directories exist and what files are in them.

 Disclosure of local application without argument.
o As many of applications create their executable/shortcut files in the Desktop directory, the attacker can analyze .exe and .lnk files to fingerprint applications installed on the local system (On Windows and probably on Linux).

Expected Result:
In the upload window, it should not auto-focus on “Upload” button or it should show a warning message like what Chrome does (“Cancel” button is auto-focused.):

Observed Result:
In the upload window, “Upload” button is focused automatically and there is no warning message.

About:
 Author: 0xCoderMan
 Email-Address: 0xc0derm4n@gmail.com

OK, yes, this is a duplicate of bug 1338637.