Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
For any nonsense or banter that doesn't fit anywhere else. LoL! omg! ROFL! 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Getting content of iFrame file://
Posted by: p0deje
Date: September 09, 2010 05:15AM

Hi everybody.

Can anybody explain me why Opera and IE still allows reading of iframe with file:// src from the html of same protocol (whereas Firefox and Chrome forbids it)? Cause if user saves the page with such iframe locally and opens it, JS can read its innerHTML and send it anywhere.

P.S. Curious: local open of html file with <iframe src="file:///C:\WINDOWS\NOTEPAD.EXE"> in Safari Win leads to executing explorer.exe with C:\WINDOWS location. lol

---------
http://p0deje.blogspot.com

Options: ReplyQuote
Re: Getting content of iFrame file://
Posted by: Gareth Heyes
Date: September 09, 2010 05:17AM

I think when you save the file it's marked as downloaded so it's restricted in certain ways on IE.

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: Getting content of iFrame file://
Posted by: p0deje
Date: September 09, 2010 06:07AM

IE changes iframe src to about:blank if saving as "Webpage, full". But saving it as "Webpage, only HTML" preservers src. Still, IE blocks JS by default.

I'm just curious, isn't "forbid reading of file://" security standard? Because Firefox and Webkit using it.

---------
http://p0deje.blogspot.com

Options: ReplyQuote
Re: Getting content of iFrame file://
Posted by: kuza55
Date: September 12, 2010 06:49PM

Firefox has additional protections as well - it will only let you read files in the current directory and it will not give you directory listing, so you would need to know the filenames to read them.

----------------------------------------------------------
Don't forget our IRC: irc://irc.irchighway.net/#slackers
[kuza55.blogspot.com]

Options: ReplyQuote


Sorry, only registered users may post in this forum.