Closed
Bug 394075
Opened 17 years ago
Closed 16 years ago
Resource Directory Traversal Vulnerability
Categories
(Firefox :: Security, defect)
Firefox
Security
Tracking
()
RESOLVED
FIXED
People
(Reporter: mramilli, Assigned: dveditz)
References
()
Details
(Keywords: verified1.8.1.17, verified1.9.0.2, Whiteboard: [sg:nse] fix in bug 380994)
User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; it; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6
Build Identifier: Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; it; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6
Classical Traversal Vulnerability, maybe someone forgot some filters ...
It could be dangerous if someone open a "well forged" page.
Reproducible: Always
Steps to Reproduce:
1.Write this "resource:///%2e%2e" (Without ") in your UR
2.
3.
Actual Results:
You can navigate your file system !
Expected Results:
The software forgets some filters in resource procedure
|
Assignee | |
Comment 1•17 years ago
|
||
Posted on a well-read blog at http://www.0x000000.com/?i=422 so no point in a hidden bug --> unhiding.
if you put a slash after that it doesn't work so you can't actually load any files that way or traverse higher. The result is surprising, bad, but not clear this is an actual vulnerability since other sites won't be able to read the directory listing.
Group: security
Status: UNCONFIRMED → NEW
Ever confirmed: true
Whiteboard: [sg:investigate]
OK, thank you.
I have never read http://www.0x000000.com/?i=422, I use frequently resource:/// :-).
Only for help your wonderful project.
|
||
Comment 3•17 years ago
|
||
See also bug 413250, a similar-sounding bug for chrome: URLs.
|
|
Assignee | |
Updated•16 years ago
|
Depends on: CVE-2007-3073
|
|
Assignee | |
Comment 4•16 years ago
|
||
The latest patch in bug 380994 fixes this case as well.
We never found an actual exploit for this.
Assignee: nobody → dveditz
Whiteboard: [sg:investigate] → [sg:nse] fix in bug 380994
|
||
Comment 5•16 years ago
|
||
Bug 417400 has an example attack. At a minimum, this could be used to compromise user privacy.
|
|
Assignee | |
Updated•16 years ago
|
Keywords: fixed1.8.1.17,
fixed1.9.0.2
|
||
Comment 6•16 years ago
|
||
When I enter "resource:///%2e%2e" in Fx20016 I can see the contents of my install directory, and I can navigate all the way up to C: (or file:///Applications/ in Mac). I also see this in Fx20017build2.
|
|
||
Comment 7•16 years ago
|
||
Talked to dveditz and he explained the expected results. Verified with latest build candidates of 2.0.0.17 and 3.0.2. When I type "resource:///%2e%2e" in the location bar I see the contents of these directories:
On 20016
Index of file:///C:/Program Files/Mozilla Firefox/..
Index of file:///Users/user/Desktop/Firefox.app/Contents/MacOS/..
Index of file:///home/mozilla/Desktop/firefox/..
On 20017build2 candidates
Index of file:///C:/Program Files/Mozilla Firefox/
Index of file:///Users/user/Desktop/Firefox.app/Contents/MacOS/
Index of file:///home/mozilla/Desktop/firefox/
On 3.0.1
Index of file:///C:/Program Files/Mozilla Firefox/..
Index of file:///Users/user/Desktop/Firefox.app/Contents/MacOS/..
Index of file:///home/mozilla/Desktop/firefox/..
On 3.0.2build3 candidates
Index of file:///C:/Program Files/Mozilla Firefox/
Index of file:///Users/user/Desktop/Firefox.app/Contents/MacOS/
Index of file:///home/mozilla/Desktop/firefox/
|
|
Assignee | |
Comment 9•16 years ago
|
||
bug 380994 checked in:
http://hg.mozilla.org/mozilla-central/rev/6dad95d60106
http://hg.mozilla.org/mozilla-central/rev/1eccc541661c
Status: NEW → RESOLVED
Closed: 16 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•