CVE-2019-11730
published 2019-07-23CVE-2019-11730: A vulnerability exists where if a user opens a locally saved HTML file, this file can use file: URIs to access other files in the same directory or…
PriorityP342medium6.5CVSS 3.1
AVNACLPRNUIRSUCHINAN
EPSS
20.27%
97.1th percentile
A vulnerability exists where if a user opens a locally saved HTML file, this file can use file: URIs to access other files in the same directory or sub-directories if the names are known or guessed. The Fetch API can then be used to read the contents of any files stored in these directories and they may uploaded to a server. It was demonstrated that in combination with a popular Android messaging app, if a malicious HTML attachment is sent to a user and they opened that attachment in Firefox, due to that app's predictable pattern for locally-saved file names, it is possible to read attachments the victim received from other correspondents. This vulnerability affects Firefox ESR < 60.8, Firefox < 68, and Thunderbird < 60.8.
Affected
22 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| debian | firefox | < firefox 68.0-1 (sid) | firefox 68.0-1 (sid) |
| debian | firefox-esr | < firefox 68.0-1 (sid) | firefox 68.0-1 (sid) |
| debian | thunderbird | < firefox 68.0-1 (sid) | firefox 68.0-1 (sid) |
| mozilla | firefox | < 68.0 | 68.0 |
| mozilla | firefox | >= 0 < 68.0+build3-0ubuntu0.16.04.1 | 68.0+build3-0ubuntu0.16.04.1 |
| mozilla | firefox | >= 0 < 68.0.1+build1-0ubuntu0.16.04.1 | 68.0.1+build1-0ubuntu0.16.04.1 |
| mozilla | firefox | >= 0 < 68.0+build3-0ubuntu0.18.04.1 | 68.0+build3-0ubuntu0.18.04.1 |
| mozilla | firefox | >= 0 < 68.0.1+build1-0ubuntu0.18.04.1 | 68.0.1+build1-0ubuntu0.18.04.1 |
| mozilla | firefox | >= unspecified < 68 | 68 |
| mozilla | firefox_esr | < 60.8 | 60.8 |
| mozilla | firefox_esr | >= unspecified < 60.8 | 60.8 |
| mozilla | thunderbird | < 60.8 | 60.8 |
| mozilla | thunderbird | >= 0 < 1:60.8.0-1 | 1:60.8.0-1 |
| mozilla | thunderbird | >= 0 < 1:60.8.0-1 | 1:60.8.0-1 |
| mozilla | thunderbird | >= 0 < 1:60.8.0-1 | 1:60.8.0-1 |
| mozilla | thunderbird | >= 0 < 1:60.8.0-1 | 1:60.8.0-1 |
| mozilla | thunderbird | >= 0 < 1:60.8.0+build1-0ubuntu0.16.04.2 | 1:60.8.0+build1-0ubuntu0.16.04.2 |
| mozilla | thunderbird | >= 0 < 1:60.8.0+build1-0ubuntu0.18.04.1 | 1:60.8.0+build1-0ubuntu0.18.04.1 |
| mozilla | thunderbird | >= unspecified < 60.8 | 60.8 |
| opensuse | leap | — | — |
| opensuse | leap | — | — |
CVSS provenance
nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:P/I:N/A:N
osv9.8CRITICAL
vendor_ubuntu9.8CRITICAL
vendor_debian6.5MEDIUM
vendor_redhat6.5MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-353x-8rf5-m26c: A vulnerability exists where if a user opens a locally saved HTML file, this file can use file: URIs to access other files in the same directory or su
ghsa_unreviewed·2022-05-24
CVE-2019-11730 [MEDIUM] GHSA-353x-8rf5-m26c: A vulnerability exists where if a user opens a locally saved HTML file, this file can use file: URIs to access other files in the same directory or su
A vulnerability exists where if a user opens a locally saved HTML file, this file can use file: URIs to access other files in the same directory or sub-directories if the names are known or guessed. The Fetch API can then be used to read the contents of any files stored in these directories and they may uploaded to a server. It was demonstrated that in combination with a popular Android messaging app, if a malicious HTML attachment is sent to a user and they opened that attachment in Firefox, due to that app's predictable pattern for locally-saved file names, it is possible to read attachments the victim received from other correspondents. This vulnerability affects Firefox ESR < 60.8, Firefox < 68, and Thunderbird < 60.8.
OSV
firefox regressions
osv·2019-07-25·CVSS 9.8
CVE-2019-9811 [CRITICAL] firefox regressions
firefox regressions
USN-4054-1 fixed vulnerabilities in Firefox. The update introduced
various minor regressions. This update fixes the problems.
We apologize for the inconvenience.
Original advisory details:
A sandbox escape was discovered in Firefox. If a user were tricked in to
installing a malicious language pack, an attacker could exploit this to
gain additional privileges. (CVE-2019-9811)
Multiple security issues were discovered in Firefox. If a user were
tricked in to opening a specially crafted website, an attacker could
potentially exploit these to cause a denial of service, obtain sensitive
information, bypass same origin restrictions, conduct cross-site scripting
(XSS) attacks, conduct cross-site request forgery (CSRF) attacks, spoof
origin attributes, spoof the addressbar
OSV
CVE-2019-11730: A vulnerability exists where if a user opens a locally saved HTML file, this file can use file: URIs to access other files in the same directory or su
osv·2019-07-23·CVSS 6.5
CVE-2019-11730 [MEDIUM] CVE-2019-11730: A vulnerability exists where if a user opens a locally saved HTML file, this file can use file: URIs to access other files in the same directory or su
A vulnerability exists where if a user opens a locally saved HTML file, this file can use file: URIs to access other files in the same directory or sub-directories if the names are known or guessed. The Fetch API can then be used to read the contents of any files stored in these directories and they may uploaded to a server. It was demonstrated that in combination with a popular Android messaging app, if a malicious HTML attachment is sent to a user and they opened that attachment in Firefox, due to that app's predictable pattern for locally-saved file names, it is possible to read attachments the victim received from other correspondents. This vulnerability affects Firefox ESR < 60.8, Firefox < 68, and Thunderbird < 60.8.
OSV
thunderbird vulnerabilities
osv·2019-07-17·CVSS 9.8
CVE-2019-9811 [CRITICAL] thunderbird vulnerabilities
thunderbird vulnerabilities
A sandbox escape was discovered in Thunderbird. If a user were tricked in to
installing a malicious language pack, an attacker could exploit this to
gain additional privileges. (CVE-2019-9811)
Multiple security issues were discovered in Thunderbird. If a user were
tricked in to opening a specially crafted website in a browsing context,
an attacker could potentially exploit these to cause a denial of service,
bypass same origin restrictions, conduct cross-site scripting (XSS)
attacks, spoof origin attributes, or execute arbitrary code.
(CVE-2019-11709, CVE-2019-11711, CVE-2019-11712, CVE-2019-11713,
CVE-2019-11715, CVE-2019-11717)
It was discovered that NSS incorrectly handled importing certain
curve25519 private keys. An attacker could exploit this issue to c
OSV
firefox vulnerabilities
osv·2019-07-12·CVSS 9.8
CVE-2019-9811 [CRITICAL] firefox vulnerabilities
firefox vulnerabilities
A sandbox escape was discovered in Firefox. If a user were tricked in to
installing a malicious language pack, an attacker could exploit this to
gain additional privileges. (CVE-2019-9811)
Multiple security issues were discovered in Firefox. If a user were
tricked in to opening a specially crafted website, an attacker could
potentially exploit these to cause a denial of service, obtain sensitive
information, bypass same origin restrictions, conduct cross-site scripting
(XSS) attacks, conduct cross-site request forgery (CSRF) attacks, spoof
origin attributes, spoof the addressbar contents, bypass safebrowsing
protections, or execute arbitrary code. (CVE-2019-11709, CVE-2019-11710,
CVE-2019-11711, CVE-2019-11712, CVE-2019-11713, CVE-2019-11714,
CVE-2019-11715, CVE-2
Ubuntu
Firefox regressions
vendor_ubuntu·2019-07-25·CVSS 9.8
CVE-2019-9811 [CRITICAL] Firefox regressions
Title: Firefox regressions
Summary: USN-4054-1 caused some minor regressions in Firefox.
USN-4054-1 fixed vulnerabilities in Firefox. The update introduced
various minor regressions. This update fixes the problems.
We apologize for the inconvenience.
Original advisory details:
A sandbox escape was discovered in Firefox. If a user were tricked in to
installing a malicious language pack, an attacker could exploit this to
gain additional privileges. (CVE-2019-9811)
Multiple security issues were discovered in Firefox. If a user were
tricked in to opening a specially crafted website, an attacker could
potentially exploit these to cause a denial of service, obtain sensitive
information, bypass same origin restrictions, conduct cross-site scripting
(XSS) attacks, conduct cross-site request
Ubuntu
Thunderbird vulnerabilities
vendor_ubuntu·2019-07-17·CVSS 9.8
CVE-2019-9811 [CRITICAL] Thunderbird vulnerabilities
Title: Thunderbird vulnerabilities
Summary: Several security issues were fixed in Thunderbird.
A sandbox escape was discovered in Thunderbird. If a user were tricked in to
installing a malicious language pack, an attacker could exploit this to
gain additional privileges. (CVE-2019-9811)
Multiple security issues were discovered in Thunderbird. If a user were
tricked in to opening a specially crafted website in a browsing context,
an attacker could potentially exploit these to cause a denial of service,
bypass same origin restrictions, conduct cross-site scripting (XSS)
attacks, spoof origin attributes, or execute arbitrary code.
(CVE-2019-11709, CVE-2019-11711, CVE-2019-11712, CVE-2019-11713,
CVE-2019-11715, CVE-2019-11717)
It was discovered that NSS incorrectly handled importing certai
Ubuntu
Firefox vulnerabilities
vendor_ubuntu·2019-07-12·CVSS 9.8
CVE-2019-9811 [CRITICAL] Firefox vulnerabilities
Title: Firefox vulnerabilities
Summary: Firefox could be made to crash or run programs as your login if it
opened a malicious website.
A sandbox escape was discovered in Firefox. If a user were tricked in to
installing a malicious language pack, an attacker could exploit this to
gain additional privileges. (CVE-2019-9811)
Multiple security issues were discovered in Firefox. If a user were
tricked in to opening a specially crafted website, an attacker could
potentially exploit these to cause a denial of service, obtain sensitive
information, bypass same origin restrictions, conduct cross-site scripting
(XSS) attacks, conduct cross-site request forgery (CSRF) attacks, spoof
origin attributes, spoof the addressbar contents, bypass safebrowsing
protections, or execute arbitrary code. (CVE-2
Red Hat
Mozilla: Same-origin policy treats all files in a directory as having the same-origin
vendor_redhat·2019-07-10·CVSS 6.5
CVE-2019-11730 [MEDIUM] CWE-829 Mozilla: Same-origin policy treats all files in a directory as having the same-origin
Mozilla: Same-origin policy treats all files in a directory as having the same-origin
A vulnerability exists where if a user opens a locally saved HTML file, this file can use file: URIs to access other files in the same directory or sub-directories if the names are known or guessed. The Fetch API can then be used to read the contents of any files stored in these directories and they may uploaded to a server. It was demonstrated that in combination with a popular Android messaging app, if a malicious HTML attachment is sent to a user and they opened that attachment in Firefox, due to that app's predictable pattern for locally-saved file names, it is possible to read attachments the victim received from other correspondents. This vulnerability affects Firefox ESR < 60.8, Firefox < 68, and
Debian
CVE-2019-11730: firefox - A vulnerability exists where if a user opens a locally saved HTML file, this fil...
vendor_debian·2019·CVSS 6.5
CVE-2019-11730 [MEDIUM] CVE-2019-11730: firefox - A vulnerability exists where if a user opens a locally saved HTML file, this fil...
A vulnerability exists where if a user opens a locally saved HTML file, this file can use file: URIs to access other files in the same directory or sub-directories if the names are known or guessed. The Fetch API can then be used to read the contents of any files stored in these directories and they may uploaded to a server. It was demonstrated that in combination with a popular Android messaging app, if a malicious HTML attachment is sent to a user and they opened that attachment in Firefox, due to that app's predictable pattern for locally-saved file names, it is possible to read attachments the victim received from other correspondents. This vulnerability affects Firefox ESR < 60.8, Firefox < 68, and Thunderbird < 60.8.
Scope: local
sid: resolved (fixed in 68.0-1)
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2019-11730 Mozilla: Same-origin policy treats all files in a directory as having the same-origin
bugzilla·2019-07-10·CVSS 6.5
CVE-2019-11730 [MEDIUM] CVE-2019-11730 Mozilla: Same-origin policy treats all files in a directory as having the same-origin
CVE-2019-11730 Mozilla: Same-origin policy treats all files in a directory as having the same-origin
A vulnerability exists where if a user opens a locally saved HTML file, this file can use `file:` URIs to access other files in the same directory or sub-directories if the names are known or guessed. The Fetch API can then be used to read the contents of any files stored in these directories and they may uploaded to a server. Luigi Gubello demonstrated that in combination with a popular Android messaging app, if a malicious HTML attachment is sent to a user and they opened that attachment in Firefox, due to that app's predictable pattern for locally-saved file names, it is possible to read attachments the victim received from other correspondents.
External Reference:
https://www.mozill
Bugzilla
file: URIs SOP Bypass: local HTML file can lead to file stealing (similar to CVE-2015-7186)
bugzilla·2019-06-10·CVSS 4.3
CVE-2015-7186 [MEDIUM] file: URIs SOP Bypass: local HTML file can lead to file stealing (similar to CVE-2015-7186)
file: URIs SOP Bypass: local HTML file can lead to file stealing (similar to CVE-2015-7186)
Created attachment 9071074
In this zip there are download.php base64.php test.html payload.html to reproduce the problem.
User Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.80 Safari/537.36
Steps to reproduce:
STEP TO REPROCUDE
1) Upload all the files from zip to your server
2) Edit files - replace attacker.domain with your server domain
3) Add a small image ( I wrote a patch that introduces a pref to treat file: URLs as unique origins. This is just a temporary fix and we can enable the pref just on android.
> It will probably break some tests. I'm waiting for this try push: https://treeherder.mozilla.org/#/jobs?repo=try&selectedJob=254743572&rev
Bugzilla
"Save as complete" gives access to content from other domains
bugzilla·2006-04-04
[MEDIUM] "Save as complete" gives access to content from other domains
"Save as complete" gives access to content from other domains
Doing "save as complete" on a page from domain A also saves any referenced content from domain B. (If the page on B is included using bogus tag, its source is saved; if it's included using an tag, its DOM is serialized and that is saved.) When you load the saved page from A, it can access the content of the saved page from B.
This bug could be used to steal intranet data or sensitive information from your accounts on many types of sites. For example, an attacker's site might reference the URL for a security-sensitive bug report. If a member of the security group saved an attacker's page and then loaded it, the attacker would be able to see the bug report.
See also bug 230606. A simple fix for bug 230606 would fix this bug, bu
CTF
20200314-confidencectf2020teaser / README
ctf_writeups·2020
20200314-confidencectf2020teaser / README
# CONFidence CTF 2020 Teaser
**It's recommended to read our responsive [web version](https://balsn.tw/ctf_writeup/20200314-confidencectf2020teaser/) of this writeup.**
- [CONFidence CTF 2020 Teaser](#confidence-ctf-2020-teaser)
- [Web](#web)
- [cat web](#cat-web)
- [Failed Attempts](#failed-attempts)
- [Temple JS (unsolved)](#temple-js-unsolved)
- [Misc](#misc)
- [Angry Defender (unsolved)](#angry-defender-unsolved)
---
## Web
### cat web
The server uses AJAX APIs to render the website content. The API endpoint is like this:
```
/cats?kind=black
{"status": "ok", "content": ["il_570xN.1285759626_8j8m.jpg", "24.jpg", "2468b5d0-67e8-4d77-9bbb-87a656c8087a-large3x4_Untitledcollage.jpg"]}
```
Let's quickly fuzz a little bit:
```
/cats?kind=black/../../
{"status": "ok", "content": [
http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00055.htmlhttp://lists.opensuse.org/opensuse-security-announce/2019-07/msg00058.htmlhttp://lists.opensuse.org/opensuse-security-announce/2019-08/msg00073.htmlhttp://lists.opensuse.org/opensuse-security-announce/2019-10/msg00009.htmlhttp://lists.opensuse.org/opensuse-security-announce/2019-10/msg00010.htmlhttps://bugzilla.mozilla.org/show_bug.cgi?id=1558299https://lists.debian.org/debian-lts-announce/2019/08/msg00001.htmlhttps://lists.debian.org/debian-lts-announce/2019/08/msg00002.htmlhttps://security.gentoo.org/glsa/201908-12https://security.gentoo.org/glsa/201908-20https://www.mozilla.org/security/advisories/mfsa2019-21/https://www.mozilla.org/security/advisories/mfsa2019-22/https://www.mozilla.org/security/advisories/mfsa2019-23/http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00055.htmlhttp://lists.opensuse.org/opensuse-security-announce/2019-07/msg00058.htmlhttp://lists.opensuse.org/opensuse-security-announce/2019-08/msg00073.htmlhttp://lists.opensuse.org/opensuse-security-announce/2019-10/msg00009.htmlhttp://lists.opensuse.org/opensuse-security-announce/2019-10/msg00010.htmlhttps://bugzilla.mozilla.org/show_bug.cgi?id=1558299https://lists.debian.org/debian-lts-announce/2019/08/msg00001.htmlhttps://lists.debian.org/debian-lts-announce/2019/08/msg00002.htmlhttps://security.gentoo.org/glsa/201908-12https://security.gentoo.org/glsa/201908-20https://www.mozilla.org/security/advisories/mfsa2019-21/https://www.mozilla.org/security/advisories/mfsa2019-22/https://www.mozilla.org/security/advisories/mfsa2019-23/
2019-07-23
Published