Posted by Ryan Lange on 06/11/06 21:34

wylbur37 wrote:
> In my original posting, when I described running a PHP script called
> test3.php on my localhost Apache server (where the server and the
> client are on the same physical computer), I could also include code
> that reads and writes to the c: drive, so I assumed that if that same
> script were installed on a physically remote server, it would also be
> able to read and write to the C: drive of my computer if I were to
> visit the webpage with that PHP script.

/me cringes in horror. Allowing a remote server to arbitrarily
write data to a client's hard drive would be a security blunder of epic
proportions.

> But now I realize that if that were the case, the C: drive that would
> be accessed would be the one on the *server's* computer and not *my*
> computer. Is that correct?

Actually, no, not with the method you were using for that link. If
I understand correctly, the file:// protocol tells the browser to look
on the local machine (e.g. the client's computer).

> By the way, the informative webpage mentioned
> (http://kb.mozillazine.org/Links_to_local_pages_don't_work)
> said that ...
>
> For security purposes, Firefox and Mozilla Suite block links to
> local files (and directories) from remote files. This includes
> linking to files on your hard drive, on mapped network drives, and
> accessible via UNC paths. This prevents a number of unpleasant
> possibilities, including:
>
> * Allowing sites to detect your operating system by checking
> default installation paths
> * Allowing sites to exploit system vulnerabilities (e.g.,
> C:\con\con in Windows 95/98)
> * Allowing sites to detect browser preferences or read sensitive
> data
>
> Could someone explain how the above three "unpleasant possibilities"
> could actually happen?

Well, for something harmless, imagine this...

<a href="file:///C:/WINDOWS/system32/calc.exe">
Download a really cool file!
</a>

If there was no security, bam... you just ran the Windows
Calculator on the client's machine. Now, thankfully that's not the case.
If you run that file strictly local (double-click in Explorer), both
Firefox and IE6 will ask if you want to download "calc.exe". Anything
else, including running it through a local web server, and neither
browser will do anything.

Ryan

• Next in forum: lazy me looking for a freebie simple gallery script
• Prev in forum: Re: Dynamic signature
• Thread view: Re: PHP-generated link to local file doesn't work when clicked on. Why?

[Reply to this message]