| More about | Changing settings | Security Holes | |
|---|---|---|---|
Firefox/Mozilla Demo: Reading local files via local HTML files
Mozilla & Co. also work with local HTML files stored on the user's computer, in particular with rights that, for instance, allow them to launch other local files via file://. JavaScript may then send the content of these files to an external server.
Giovanni Delvecchio points out that a Web server can enforce an "open with" dialog by specifying an unknown file type. If the user selects the to open the HTML document with the browser, this document will be downloaded and opened with the rights of a local file. According to Delvecchio, this affects Mozilla, Firefox and Opera. The following demo has been adapted to work with Mozilla and Firefox.
Demo
Local files cannot be read out directly from an external Web page. For this reason, this demo offers you the option of opening or saving an HTML file, which then reads out a local file on your system.
Windows:
First you have to create the file C:\cttest.txt or save this file under "C:\cttest.txt" and click open C:\cttest.txt.
Linux: Open /etc/passwd.
You will then see a dialog window that asks you what you want to do with the file "cttest.html". Open the file either directly or after saving it with your browser.
If a window is displayed with the file content, the demo worked properly; the script would also have been able to send the file content to an external server. If no message is displayed, the demo failed. Users must decide themselves if reading out local files this way constitutes a security problem.
Remedy:
Deactivate JavaScript.
![Kernel Log: Coming in 3.10 (Part 3) [--] Infrastructure](/imgs/43/1/0/4/2/6/7/2/comingin310_4_kicker-4977194bfb0de0d7.png)
![Kernel Log: Coming in 3.10 (Part 3) [--] Infrastructure](/imgs/43/1/0/4/2/3/2/3/comingin310_3_kicker-151cd7b9e9660f05.png)
