On 07/02/2011 10:21 AM, Marko Vojinovic wrote:
On Saturday 02 July 2011 17:10:33 JD wrote:
On 07/02/2011 08:12 AM, Brendan Jones wrote:
On 07/02/2011 01:45 PM, JD wrote:
So how is the router doing it? This is a very disconcerting security hole and I have not been able to nail it down to any daemon running on my Fedora.
Isn't the page just redirecting to file://<ip>/ ?
You can do the same by typing that into the address bar your browser. If your local ip is<ip> (which is the same as file:/// ) you will be able to traverse your root, but no other IP can.
I tried it. The browser cannot browse to my ip address for the simple reason I do not have apache httpd running. Read my subsequent posts on this.
You do not need an apache server to see your own files from the browser. I just typed
file://127.0.0.1/
into firefox and the files in the root directory appeared no problem. A web browser is supposed to be able to access your files, in the same way you are able to do it from the shell prompt.
Can your router display the files of some other computer connected to it? Or did you try that just with the one you were sitting at?
Have you tried browsing through some user's home directory (other than your own)? Could you read any of those files?
I don't think there is any security hole there, it's just your own browser playing tricks on you. Care to provide the html source code for the router's page that has a link to view the files? The source should tell us how it's being done.
HTH, :-) Marko
The router does not display any files when I try it on other computers. They are windows coputers (win7 and winxp) - not sure why it does not display windows' c:\ contents.
On my machine, when I disable javascript, it is unable to display my files. I understand that the browser is supposed to be able to display your files with the file:/// URL. I just was not expecting my router to issue a javascript to to access my files. And my concern is that any web site can issue a javascript to access personal files; and most people are unaware of this, because they are not techies, and do not understand what javascripts are capable of doing.