[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] [ MDVSA-2013:210 ] firefox

To: security@xxxxxxxxxxxx
Subject: Re: [Full-disclosure] [ MDVSA-2013:210 ] firefox
From: Georgi Guninski <guninski@xxxxxxxxxxxx>
Date: Thu, 8 Aug 2013 18:14:55 +0300


On Wed, Aug 07, 2013 at 04:48:22PM +0300, Georgi Guninski wrote:
> 
> 
> On Wed, Aug 07, 2013 at 12:36:01PM +0200, security@xxxxxxxxxxxx wrote:
> >  
> >  Security researcher Georgi Guninski reported an issue with Java
> 
> 
> Just to clarify:  I haven't report _any_ "issues" to mozilla
> since years...
> They are not fast in fixing bugs, especially when involving
> other vendors.
> If I get pissed off, will try to find the dates about
> the "issue" in question (suspect since at least 4 years).
> 
> 
>

looks like it's more than 4 years...

from their advisory appears it is bug #406541.

Here it is:

Date: Mon, 3 Dec 2007 01:43:10 -0800
From: bugzilla-daemon@xxxxxxxxxxx
To: 
Subject: [Bug 406541] New:
        local java applet may read arbitrary files under certain circumstances

Do not reply to this email.  You can add comments to this bug at
https://bugzilla.mozilla.org/show_bug.cgi?id=406541

           Summary: local java applet may read arbitrary files under certain
                    circumstances
           Product: Firefox
           Version: Trunk
          Platform: PC
        OS/Version: Linux
            Status: NEW
          Severity: normal
          Priority: --
         Component: Security
        AssignedTo: nobody@xxxxxxxxxxx
        ReportedBy: guninski@xxxxxxxxxxxx
         QAContact: firefox@xxxxxxxxxxxxx


Created an attachment (id=291181)
 --> (https://bugzilla.mozilla.org/attachment.cgi?id=291181)
a1.java - compiled a1.class must be saved in
/tmp/DumbUglyB1llMarriedDumbUglyB1tch

recent trunk has restrictions on what local html can access

in bug 402998 Comment #8 someone with sun.com email asked to "post a test" for
local applet circumventing restrictions.

it is like beating a death horse, but here it is:

if the path of the locally saved applet is known at applet compile time, the
applet can read any file.

note that if the luser saves files in a single directory, a two stage attack
may be successful with high probability.

suppose the applet is saved in directory:
/tmp/DumbUglyB1llMarriedDumbUglyB1tch

it should be instantiated like this:
<applet codebase="file:///"
code="tmp.DumbUglyB1llMarriedDumbUglyB1tch.a1">
</applet>

and the applet should contain:
/*
 * This is the path to the applet filename:
 * */
package tmp.DumbUglyB1llMarriedDumbUglyB1tch;
public class a1 extends Applet {


--
Configure bugmail: https://bugzilla.mozilla.org/userprefs.cgi?tab=email

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

References:
- [Full-disclosure] [ MDVSA-2013:210 ] firefox
  - From: security
- Re: [Full-disclosure] [ MDVSA-2013:210 ] firefox
  - From: Georgi Guninski

Prev by Date: [Full-disclosure] OUTDATED, UNSUPPORTED and VULNERABLE 3rd party components installed with Exact Audio Copy
Next by Date: [Full-disclosure] pixlr.com bluecoat image file bypass
Previous by thread: Re: [Full-disclosure] [ MDVSA-2013:210 ] firefox
Next by thread: [Full-disclosure] [SECURITY] [DSA 2735-1] iceweasel security update
Index(es):
- Date
- Thread