[Greasemonkey] greasemonkey for secure data over insecure
networks / sites
Mark Pilgrim
pilgrim at gmail.com
Mon Jul 18 16:42:15 EDT 2005
On 7/18/05, Mark Pilgrim <pilgrim at gmail.com> wrote:
> On 7/18/05, Godmar Back <godmar at gmail.com> wrote:
> > Could a malicious web site serve JavaScript that would create
> > connections to domains other than the domain from which it came if the
> > user has a GM script that is triggered for all pages, since the
> > GM_xmlhttprequest function object (or whatever it was called) will
> > then exist in the environment of the page?
>
> Yes. http://diveintogreasemonkey.org/experiments/xmlhttprequest-leak.html
This particular exploit is much, much worse than I thought.
GM_xmlhttpRequest can successfully "GET" any world-readable file on
your local computer.
http://diveintogreasemonkey.org/experiments/localfile-leak.html
returns the contents of c:\boot.ini, which exists on most modern
Windows systems.
But wait, it gets worse. An attacker doesn't even need to know the
exact filename, since "GET"ting a URL like "file:///c:/" will return a
parseable directory listing. (And Mac users don't get to gloat
either; you're just as vulnerable, starting with a different root
URL.)
In other words, running a Greasemonkey script on a site can expose the
contents of every file on your local hard drive to that site. Running
a Greasemonkey script with "@include *" (which, BTW, is the default if
no parameter is specified) can expose the contents of every file on
your local hard drive to every site you visit. And, because
GM_xmlhttpRequest can use POST as well as GET, an attacker can quietly
send this information anywhere in the world.
--
Cheers,
-Mark
More information about the Greasemonkey
mailing list