Comments on: Firefox 0day local file reading http://larholm.com/2007/05/25/firefox-0day-local-file-reading/ Me, myself and I Thu, 11 Mar 2010 03:38:17 +0000 http://wordpress.org/?v=2.6.2 By: duke http://larholm.com/2007/05/25/firefox-0day-local-file-reading/#comment-1016 duke Sun, 22 Jul 2007 18:39:56 +0000 http://test.larholm.com/?p=11#comment-1016 Firefox 2.0.0.5 is still vulnerable Firefox 2.0.0.5 is still vulnerable

]]> By: Larholm.com - Me, myself and I » Unpatched input validation flaw in Firefox 2.0.0.4 http://larholm.com/2007/05/25/firefox-0day-local-file-reading/#comment-56 Larholm.com - Me, myself and I » Unpatched input validation flaw in Firefox 2.0.0.4 Mon, 04 Jun 2007 18:31:13 +0000 http://test.larholm.com/?p=11#comment-56 [...] were a number of interesting comments on my previous post, Firefox 0day local file reading. Checking the current Windows patch status was suggested by Sergey Vzloman and H D Moore [...] [...] were a number of interesting comments on my previous post, Firefox 0day local file reading. Checking the current Windows patch status was suggested by Sergey Vzloman and H D Moore [...]

]]> By: ukio http://larholm.com/2007/05/25/firefox-0day-local-file-reading/#comment-54 ukio Fri, 01 Jun 2007 12:07:31 +0000 http://test.larholm.com/?p=11#comment-54 Is it possible to steal cookies using an ajax backgound file-upload?? I sketched a possible attack <a href="http://mobdev.tknerr.de/2007/06/01/cookie-stealing-using-ajax-backgound-file-upload/" rel="nofollow">here</a> I am sure this must have been discussed already, but IMHO this is still a big issue. Would be glad to hear your comments if the sketched attack is indeed so easily possible -ukio Is it possible to steal cookies using an ajax backgound file-upload??

I sketched a possible attack here

I am sure this must have been discussed already, but IMHO this is still a big issue. Would be glad to hear your comments if the sketched attack is indeed so easily possible

-ukio

]]> By: ukio http://larholm.com/2007/05/25/firefox-0day-local-file-reading/#comment-53 ukio Fri, 01 Jun 2007 09:16:07 +0000 http://test.larholm.com/?p=11#comment-53 @Sergey Vzloman The same thing (i.e. accessing a local file whose path you know) can be done using a backgound ajax file upload, can't it? You could upload it to your server and processing it there. Then you could also pass it back to javascript via ajax if desired. This ajax background fileupload thing seems to be a big security issue to me, is there a way to protect yourself from that? @Sergey Vzloman

The same thing (i.e. accessing a local file whose path you know) can be done using a backgound ajax file upload, can’t it?

You could upload it to your server and processing it there. Then you could also pass it back to javascript via ajax if desired.

This ajax background fileupload thing seems to be a big security issue to me, is there a way to protect yourself from that?

]]> By: Thor Larholm http://larholm.com/2007/05/25/firefox-0day-local-file-reading/#comment-52 Thor Larholm Thu, 31 May 2007 13:44:17 +0000 http://test.larholm.com/?p=11#comment-52 Yup, the patch only filters out backslashes (\) and not forward slashes (/) so Linux/Unix/OS X are still vulnerable to the full directory traversal. I mentioned this as well in the bugzilla case that Mozilla has had open since January. Yup, the patch only filters out backslashes (\) and not forward slashes (/) so Linux/Unix/OS X are still vulnerable to the full directory traversal.

I mentioned this as well in the bugzilla case that Mozilla has had open since January.

]]> By: HD http://larholm.com/2007/05/25/firefox-0day-local-file-reading/#comment-51 HD Thu, 31 May 2007 13:17:32 +0000 http://test.larholm.com/?p=11#comment-51 resource:///etc/passwd (3 slashes on unix works fine) resource:///etc/passwd (3 slashes on unix works fine)

]]> By: Thor Larholm http://larholm.com/2007/05/25/firefox-0day-local-file-reading/#comment-50 Thor Larholm Thu, 31 May 2007 12:24:23 +0000 http://test.larholm.com/?p=11#comment-50 The PoC at http://larholm.com/misc/ffresourcefile.html is a relatively harmless demonstration of why exposing the resource protocol to web content is a bad idea. The patch only closes the directory traversal aspect. You can still read local files in Firefox 2.0.0.4, but it is now limited to the files within your Firefox installation directory such as update.xml and install.log that reveal your current patch status. The patch that was introduced in Firefox 2.0.0.4 accidentally opens up the resource protocol to a separate input validation flaw. I have been kind enough to give Mozilla advance notice of this vulnerability and will follow up here with a separate post on the subject. The PoC at http://larholm.com/misc/ffresourcefile.html is a relatively harmless demonstration of why exposing the resource protocol to web content is a bad idea.

The patch only closes the directory traversal aspect. You can still read local files in Firefox 2.0.0.4, but it is now limited to the files within your Firefox installation directory such as update.xml and install.log that reveal your current patch status.

The patch that was introduced in Firefox 2.0.0.4 accidentally opens up the resource protocol to a separate input validation flaw. I have been kind enough to give Mozilla advance notice of this vulnerability and will follow up here with a separate post on the subject.

]]> By: carl http://larholm.com/2007/05/25/firefox-0day-local-file-reading/#comment-49 carl Thu, 31 May 2007 08:07:43 +0000 http://test.larholm.com/?p=11#comment-49 Firefox 2.0.0.4 is still vulnerable, I've tested it with this PoC: http://larholm.com/misc/ffresourcefile.html Firefox 2.0.0.4 is still vulnerable, I’ve tested it with this PoC:
http://larholm.com/misc/ffresourcefile.html

]]> By: Thor Larholm http://larholm.com/2007/05/25/firefox-0day-local-file-reading/#comment-48 Thor Larholm Wed, 30 May 2007 08:20:10 +0000 http://test.larholm.com/?p=11#comment-48 Firefox 2.0.0.4 and 1.5.0.12 will be released today, fixing this vulnerability. <a href="http://developer.mozilla.org/devnews/index.php/2007/05/29/firefox-15012-firefox-2004-to-be-available-soon/" rel="nofollow"> http://developer.mozilla.org/devnews/index.php/2007/05/29/firefox-15012-firefox-2004-to-be-available-soon/ </a> Firefox 2.0.0.4 and 1.5.0.12 will be released today, fixing this vulnerability.


http://developer.mozilla.org/devnews/index.php/2007/05/29/firefox-15012-firefox-2004-to-be-available-soon/

]]> By: Thor Larholm http://larholm.com/2007/05/25/firefox-0day-local-file-reading/#comment-47 Thor Larholm Wed, 30 May 2007 04:41:59 +0000 http://test.larholm.com/?p=11#comment-47 Larry Seltzer writes about this vulnerability in PC Magazine. <a href="http://www.pcmag.com/article2/0,1895,2136519,00.asp" rel="nofollow"> http://www.pcmag.com/article2/0,1895,2136519,00.asp </a> Larry Seltzer writes about this vulnerability in PC Magazine.


http://www.pcmag.com/article2/0,1895,2136519,00.asp

]]>