Re (5): Capability of Iceweasel to open a local file.
Hello Axel,
From: Axel Freyn <axel-freyn@gmx.de>
Date: Tue, 07 Jun 2011 10:40:22 +0200
> I have no webserver at hand, so I haven't tested ...
But you don't need a server. You only need to find a link, on any
server anywhere, which targets a file URI. Then duplicate the file
in your own system. Use a link on my server if you want to try a test.
> The serious security flaw which I see here is the following: This
> allows all remote site which you're looking at to use "file:///" in
> order to acces your local files. That's true also for javascript.
But the remote site does nothing more serious than provide a file URI.
The file can't even execute unless it's executeable. For something bad to
occur the user would have to prearrange a dangerous executeable. Then
find and click a link targeting that executeable. Could all this happen
by accident? More likely for a blundering user to "cd ~; rm -r *"?
> So, as
> soon as you set "security.checkloaduri=true", a website you're visiting
> could copy all files from your local disk which you're allowed to read
> (so /etc/shadow would be inaccessible (except you run iceweasel as root
> :-)), but all files in /home/user kann be copied).
Only if the local user clicks on the link and the target does the malicious
deed. Why would such a dangerous target executeable be lying around?
> Do you know how that problem is solved in Native Oberon?
The browser, Desktops.OpenDoc, is elementary. Off hand I can't imagine
it doing anything significant. A2 might have a risk. I don't know A2
well enough to answer for it.
Regards, ... Peter E.
--
Telephone 1 360 450 2132. bcc: peasthope at shaw.ca
Shop pages http://carnot.yi.org/ accessible as long as the old drives survive.
Personal pages http://members.shaw.ca/peasthope/ .
Reply to: