Closed Bug 394075 Opened 17 years ago Closed 16 years ago

Resource Directory Traversal Vulnerability

Categories

(Firefox :: Security, defect)

defect
Not set
normal

Tracking

()

RESOLVED FIXED

People

(Reporter: mramilli, Assigned: dveditz)

References

()

Details

(Keywords: verified1.8.1.17, verified1.9.0.2, Whiteboard: [sg:nse] fix in bug 380994)

User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; it; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6 Build Identifier: Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; it; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6 Classical Traversal Vulnerability, maybe someone forgot some filters ... It could be dangerous if someone open a "well forged" page. Reproducible: Always Steps to Reproduce: 1.Write this "resource:///%2e%2e" (Without ") in your UR 2. 3. Actual Results: You can navigate your file system ! Expected Results: The software forgets some filters in resource procedure
Posted on a well-read blog at http://www.0x000000.com/?i=422 so no point in a hidden bug --> unhiding. if you put a slash after that it doesn't work so you can't actually load any files that way or traverse higher. The result is surprising, bad, but not clear this is an actual vulnerability since other sites won't be able to read the directory listing.
Group: security
Status: UNCONFIRMED → NEW
Ever confirmed: true
Whiteboard: [sg:investigate]
OK, thank you. I have never read http://www.0x000000.com/?i=422, I use frequently resource:/// :-). Only for help your wonderful project.
See also bug 413250, a similar-sounding bug for chrome: URLs.
Depends on: CVE-2007-3073
The latest patch in bug 380994 fixes this case as well. We never found an actual exploit for this.
Assignee: nobody → dveditz
Whiteboard: [sg:investigate] → [sg:nse] fix in bug 380994
Bug 417400 has an example attack. At a minimum, this could be used to compromise user privacy.
When I enter "resource:///%2e%2e" in Fx20016 I can see the contents of my install directory, and I can navigate all the way up to C: (or file:///Applications/ in Mac). I also see this in Fx20017build2.
Talked to dveditz and he explained the expected results. Verified with latest build candidates of 2.0.0.17 and 3.0.2. When I type "resource:///%2e%2e" in the location bar I see the contents of these directories: On 20016 Index of file:///C:/Program Files/Mozilla Firefox/.. Index of file:///Users/user/Desktop/Firefox.app/Contents/MacOS/.. Index of file:///home/mozilla/Desktop/firefox/.. On 20017build2 candidates Index of file:///C:/Program Files/Mozilla Firefox/ Index of file:///Users/user/Desktop/Firefox.app/Contents/MacOS/ Index of file:///home/mozilla/Desktop/firefox/ On 3.0.1 Index of file:///C:/Program Files/Mozilla Firefox/.. Index of file:///Users/user/Desktop/Firefox.app/Contents/MacOS/.. Index of file:///home/mozilla/Desktop/firefox/.. On 3.0.2build3 candidates Index of file:///C:/Program Files/Mozilla Firefox/ Index of file:///Users/user/Desktop/Firefox.app/Contents/MacOS/ Index of file:///home/mozilla/Desktop/firefox/
we should verify this on 1.8.0.15
Flags: blocking1.8.0.15+
Status: NEW → RESOLVED
Closed: 16 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.