Fedora Security and the Uverse 3800HGV-B router

[Marko Vojinovic]

On Sunday 03 July 2011 00:39:28 JD wrote:
> On 07/02/2011 10:39 AM, Marko Vojinovic wrote:
> > On Saturday 02 July 2011 15:50:18 JD wrote:
> >> If a javascript can browse all accessible files, what's there
> >> to prevent someone from writing a javascript to spawn
> >> a process to upload your files?
> > 
> > Permissions system? While the contents of / directory can be listed by
> > just about any user on the system, it's a completely different story for
> > writing to it. Also, can you browse through home directories of other
> > users from the router? I doubt.
> 
> Good question.
> The dirs whose owners set to 0700 perms,
> I cannot browse.
> As I said, the script allows access to files that
> the current user, accessing the web, has access to.
> So, one's own personal files are at risk, and files of
> other users which have permissive perms are at
> risk.
> As far as writing, the script is running with the user
> credentials. Why would it not be able to write to or
> delete the user's own files or other users' files which
> have permissive perms settings?

Umm, no. The javascript itself cannot access your files at all. It can just 
point your local web browser to show you your local files. It's the browser 
that is displaying your files, not javascript. Deleting and uploading are out 
of the question.

To prove this, hook up two machines into your router, and try to look at the 
filesystem of machine A by accessing the router from the browser on machine B. 
Does it fail? Sure it does, the browser on machine B cannot see the filesystem 
of machine A, regardless of any router or javascript in between. Try it and 
see for yourself.  You are making fuss over a non-issue.

> > Go create a new dummy user on your machine, create somefile.txt in his
> > home directory, log in as yourself and try to view the file using the
> > router. If you succeed, the permissions on your system are compromised.
> > If you don't, then you are fussing over that router more than it's
> > worth. In both cases I doubt that javascript has much to do with it.
> 
> As stated above, if the perms are set to... say 0700 on the
> user's home dir, then no I cannot browse it by the browser.
> 
> And this is NOT the issue I was raising, so you diverge quiet a bit.
> 
> It is the fact that as javascript sent by web site can indeed
> open my files and can upload them to a remote site.

But that's not the case. Javascript did nothing of the sort. It is a simple 
html instruction, like this:

<a href="file://127.0.0.1/"> Click here to see your local files </a>

This can be implemented on any website whatsoever, and of course there is no 
way any information about your local filesystem can be pulled back to the 
server providing the link. The link just redirects your browser from that 
random website to your "filesystem-website", which is actually the virtual 
website created by your *local* browser to display your *local* files.

Javascript is not involved at all here. The fact that the router's website 
fails to work when you use noscript on it is a question of the design of the 
router, but I can bet that it does not access your files in any way.

Open the browser, point it to the router website, choose "view -> page source" 
from the menu (I'm talking Firefox here) and post the html source of what it 
gives you. I could bet that you can find a href anchor there just like the one 
that I wrote above (or something similar/equivalent). There is nothing more to 
it, really.

And there certainly is no reason to panic over security. If this was a real 
hole, it would be obvious to people years ago, and certainly fixed by now... 
There are quite a number of people out there that are way more paranoid than 
you or me. They would raise the alarm long ago if it were something real. ;-)

HTH, :-)
Marko