Closed
Bug 141061
Opened 22 years ago
Closed 22 years ago
XMLHttpRequest allows reading of local files
Categories
(Core :: DOM: Core & HTML, defect, P1)
Core
DOM: Core & HTML
Tracking
()
VERIFIED
FIXED
mozilla1.0
People
(Reporter: giscardg, Assigned: darin.moz)
References
()
Details
(Keywords: topembed+, Whiteboard: [ADT1][m5+][fixed-trunk])
Attachments
(3 files, 2 obsolete files)
1.23 KB,
text/html
|
Details | |
75 bytes,
application/octet-stream
|
Details | |
3.28 KB,
patch
|
security-bugs
:
review+
hjtoi-bugzilla
:
superreview+
asa
:
approval+
|
Details | Diff | Splinter Review |
When an http server redirects the user to a local file, XMLHttpRequest gets tricked into thinking the page came from the http server.
Comment 1•22 years ago
|
||
i can confirm this with win2k build 20020428..
Status: UNCONFIRMED → NEW
Ever confirmed: true
Comment 2•22 years ago
|
||
I am marking this bug Security-Sensitive. That means only people in the Bugzilla security group and everyone whose email appears in the fields of the bug (reporter, etc.) will be able to view it. If anyone objects, simply uncheck the box above.
Assignee: jst → mstoltz
Group: security?
Target Milestone: --- → mozilla1.0
Reporter | ||
Comment 3•22 years ago
|
||
The folks at greymagic found this bug. Just so there's no confusion, I take no responsability for finding this bug.
Comment 4•22 years ago
|
||
BTW: http://www.theregister.co.uk/content/4/25079.html It looks like the problem is that http doesn't do any security handling itsself. Instead, it relies on docshell to call CheckLoadURI in its OnRedirect handler - see http://lxr.mozilla.org/seamonkey/source/uriloader/base/nsDocLoader.cpp#1270 darin, Mitch - should http be doing its own security checks? Is there ever a case where we don't want these run?
Comment 5•22 years ago
|
||
In 1.0RC1, this test case crashes for me on linux. A local test case sometimes crashes, and sometimes hangs, depending on the details of my redirect. I don't have a branch debug build to work our where this is happening. On the trunk, using that test page, I can load chrome urls, and have the text appear. I can't load js ones, though, because the channel doesn't provide an nsIInterfaceRequestor for us to get teh script global from, so I hit the assertion in nsJSThunk::EvaluateScript.
Any point in keeping this closed now that the Register has pasted the (trivial) sample code, as well as the GreyMagic advisory page having a working demonstration?
cls and timeless are going to turn off xmlextras in the default build until we have a fix, so I'm adding them to the cc:. Whatever fix-patch we end up with can tweak configure.in again.
Comment on attachment 81685 [details] [diff] [review] remove xmlextras from configure.in Noted on IRC but for the record, r=cls. FYI, this change is going to remove xmlextras from the build completely. To enable it in a build, you'll have to explicitly specify it: e.g. --enable-extensions=all,xmlextras
Attachment #81685 -
Flags: review+
Comment 10•22 years ago
|
||
cc'ing heikki the module owner for xmlextras
Reporter | ||
Comment 11•22 years ago
|
||
*** Bug 141208 has been marked as a duplicate of this bug. ***
Reporter | ||
Comment 13•22 years ago
|
||
Reporter | ||
Comment 14•22 years ago
|
||
This bug is also affected by document.load(). To test this put load.html and redir.asp on a webserver. point your browser to http://<yourwebserver>/load.html. load.html will display c:/test.xml in your browser.
I don't think there is point in keeping this secret, it is public knowledge now (articles at The Register etc.). This also affects document.load(), which you cannot disable by disabling xmlextras from the build. This needs a real fix. Marking nsbeta1+ and topembed+ (pretty sure Jud would not mind;).
Assignee | ||
Comment 16•22 years ago
|
||
two solutions: 1) make sure we have an nsIHttpEventSink::OnRedirect implementation whenever loading http URLs. 2) make http call CheckLoadURI itself. i'd prefer to go the route of solution 1 if at all possible. i know it's riskier, but it would keep things more modular (necko would have to depend on caps).
Assignee | ||
Comment 17•22 years ago
|
||
this patch ensures that CheckLoadURI is called for all HTTP redirects.
Assignee | ||
Comment 18•22 years ago
|
||
can people try out this patch and verify that it does indeed fix this bug? thx!
Assignee | ||
Comment 19•22 years ago
|
||
ok, i verified this patch against an XMLHttpRequest based exploit. if inside the netscape firewall, see http://unagi.mcom.com/~darinf/test.html if you have a local file on your system with the URL file:///tmp/test.txt, you'll see it's contents appear in an alert box when you load test.html. if you apply my patch, you'll no longer see any text in the alert box.
Assignee | ||
Comment 21•22 years ago
|
||
this patch comments out the redundant code in nsDocLoader.cpp
Assignee | ||
Updated•22 years ago
|
Keywords: adt1.0.0,
mozilla1.0+
Comment 22•22 years ago
|
||
adding the to beta stopper list. Who should r=/sr= this?
Whiteboard: [ADT1] → [ADT1][m5+]
Updated•22 years ago
|
Comment 23•22 years ago
|
||
undoing the keyword, whiteboard and priority changes i wiped away with my last change. sorry. readding nsbeta1+ and topembed+ because it looks like those were removed accidently as well.
I tried to make document.load() tests for Apache, but they don't seem to work. These are on an internal Netscape server (Netscape people should be able to log in normally if you want to tweak things). http://green.nscp.aoltw.net/heikki/141061/load-win.html (c:\temp\test.txt) http://green.nscp.aoltw.net/heikki/141061/load-unix.html (/tmp/test.txt) Anyone who could test the load tests from Giscard with Darin's patch?
Keywords: adt1.0.0,
mozilla1.0+
Whiteboard: [ADT1][m5+] → [ADT1]
Oops, sorry, I can confirm this fixes the document.load() bug on Windows as well.
To test the load() tests, place test.xml file on your local disc. c:\temp\test.xml for Windows and /tmp/test.xml for Unix. That test file could be something as simple as: <doc>Foobar</doc>
Comment 27•22 years ago
|
||
Comment on attachment 81725 [details] [diff] [review] patch - same thing, with equivalent code commented out of nsDocLoader.cpp Looks good. r=mstoltz
Attachment #81725 -
Flags: review+
Comment 29•22 years ago
|
||
I'd like to keep this bug security-confidential for another day or two. If anyone objects, please send mail to security-group@mozilla.org and we'll discuss it there - NOT here in the bug.
Comment 30•22 years ago
|
||
patch manager is really good at bad collisions...
Keywords: adt1.0.0,
mozilla1.0+
Comment 31•22 years ago
|
||
On second thought, let's open up the bug. Transparency is good.
Group: security?
Comment 32•22 years ago
|
||
Has anyone got a debug branch build to see if this fixes the crash, too?
Comment on attachment 81725 [details] [diff] [review] patch - same thing, with equivalent code commented out of nsDocLoader.cpp sr=heikki
Attachment #81725 -
Flags: superreview+
Updated•22 years ago
|
Attachment #81685 -
Attachment is obsolete: true
Updated•22 years ago
|
Attachment #81716 -
Attachment is obsolete: true
The crash was another issue, it has been fixed in XMLHttpRequest on the trunk & branch. Harishd just made a patch for document.load() case. Basically the crash occurred when those objects were used to load non-XML data, especially if they contained stylesheets. I am making a testcase to see if this fixes the case of redirecting stylesheets.
Comment 35•22 years ago
|
||
Comment on attachment 81725 [details] [diff] [review] patch - same thing, with equivalent code commented out of nsDocLoader.cpp a=asa (on behalf of drivers) for checkin to the 1.0 branch
Attachment #81725 -
Flags: approval+
Create test.css file with contents p {color:red;} and place it in c:\temp\test.css, then point your browser into this URL http://green.nscp.aoltw.net/heikki/141061/style-win.html Confirmed that this patch fixes that as well. This bug was reported on bugtraq.
Comment 37•22 years ago
|
||
*** Bug 141348 has been marked as a duplicate of this bug. ***
Assignee | ||
Comment 38•22 years ago
|
||
fixed-on-trunk
Status: NEW → ASSIGNED
Whiteboard: [ADT1][m5+] → [ADT1][m5+][fixed-trunk]
Comment 39•22 years ago
|
||
adding adt1.0.0+. Please check this into the branch as soon as possible and add the fixed1.0.0 keyword.
Comment 40•22 years ago
|
||
Also fixed on 1.0 branch.
Comment 42•22 years ago
|
||
*** Bug 141453 has been marked as a duplicate of this bug. ***
Assignee | ||
Comment 43•22 years ago
|
||
marking FIXED
Status: ASSIGNED → RESOLVED
Closed: 22 years ago
Resolution: --- → FIXED
Comment 44•22 years ago
|
||
*** Bug 141551 has been marked as a duplicate of this bug. ***
Comment 45•22 years ago
|
||
*** Bug 141727 has been marked as a duplicate of this bug. ***
Comment 46•22 years ago
|
||
*** Bug 141755 has been marked as a duplicate of this bug. ***
Assignee | ||
Updated•22 years ago
|
Keywords: fixed0.9.4
Comment 47•22 years ago
|
||
Verified on 2002-05-01-trunk and 2002-05-01-branch on WinNT 3 testcases: 1. URL 2. barrowma.com/redirtest.html 3. test provided by Heikki work fine.
Status: RESOLVED → VERIFIED
Keywords: fixed1.0.0 → verified1.0.0
Comment 48•22 years ago
|
||
I was playing around with the exploit example page at http://sec.greymagic.com/adv/gm001-ns/ and i was wondering about what appears to be a similar problem. After updating to the very latest (fixed) Moz, the file://whatever hole seems to be fixed. However, if i type, say, http://slashdot.org/users.pl?op=edituser into the textbox and click "sniff", the content that their site grabs from me includes what is supposed to be private data -- my email address and so on. Could an approach similar to this bug be used to, say, grab someone's stock portfolio information by sniffing a URL at Yahoo Finance?
Comment 49•22 years ago
|
||
Mike, chances are the answer is "yes", from what I remember of this code... could you please file a separate bug on it?
Assignee | ||
Comment 50•22 years ago
|
||
Mike: yup, you raise a good point... however, short of breaking compatibility with a large number of websites, there is very little we can do to avoid that security risk. IMO, concerned users ought to disable javascript anyways when potentially visiting a malicious website.
I can fix the problem Mike mentioned in XMLHttpRequest itself (maybe also for document.load but I am not sure). I'll do that in bug 133170.
Comment 52•22 years ago
|
||
Darin, what sites? Who uses this? And this seems like a serious problem, one that will show up. I don't want to ship like that. Heikki, do we need to make sure that the bug you mentioned stays on the 1.0 radar?
Assignee | ||
Comment 53•22 years ago
|
||
blizzard: i was referring primarily to document.load ... seems like it'd be common place for websites to document.load an URL that results in a redirect to a site under a different domain. so, how can we block cross-site redirects on document.load? no other browser does, so we'd just end up making the product incompatible with who-knows-what top100 website.
Comment 54•22 years ago
|
||
To get a version which includes the fix, are the nightly builds stable enough for download by end-users? Or should they wait for RC2? Any estimate yet on a release date for RC2?
document.load(), and XMLHttpRequest.open() already check if they are allowed to access the URL that is passed in, and fail if the security check fails. The fact that you can go around this check by using a redirect seems like a bug to me, clear and simple. I created two testcases that show this allows a hacker access to Bugzilla using my account, and access to W3C member-only sections using my account. The exploits are possible if I have logged in to Bugzilla (cookies remember my login and are sent automatically) or W3C (basic auth login remembered and sent automatically) during this session. http://green.nscp.aoltw.net/heikki/133170/xmlhttpbugzilla.html http://green.nscp.aoltw.net/heikki/133170/xmlhttpw3cauth.html XMLHttpRequest is the more serious issue here because it can give you access to documents regardless of format. document.load(), I believe, will only be able to give the hacker access to XML documents. I have a fix for XMLHttpRequest altready, and I am debugging similar fix for document.load() in bug 133170. I would advice moving this discussion there.
Comment 56•22 years ago
|
||
> Any estimate yet on a release date for RC2?
Any day now.
Comment 57•22 years ago
|
||
> Any estimate yet on a release date for RC2? When all dependencies for bug 138000 are fixed, except the nsIFIle one
Comment 58•22 years ago
|
||
for what it's worth, PPEmbed from 5/6/02 1.0 branch still has this problem. should i reopen? removing verified1.0.0 keyword. we need traction on this asap, it's a beta blocker for embedding clients.
Keywords: verified1.0.0
Comment 59•22 years ago
|
||
never mind, it appears we jumped the gun. this bug appears fixed in 5/6/02 ppembed. someone is toking up without sharing again. ;)
Comment 60•22 years ago
|
||
adding back verified1.0.0 based on pinkerton's most recent comments. It sounds like new issues are being handled in 133170.
Keywords: verified1.0.0
Comment 61•22 years ago
|
||
I was away for a few days; after reading the new comments, i'm not sure whether you still want me to file a new bug as requested in #49, or if someone else is taking care of this potential problem.
Mike, that is being covered by bug 133170.
Comment 63•22 years ago
|
||
Darin: Will this solve Bug 102262? I've been wanting that to go away for a long time, but haven't had time to focus on it.
Comment 64•22 years ago
|
||
Verified on 2002-05-08-6.2.3 on WinNT. 3 testcases: 1. URL ("This is blocked by the security manager) 2. barrowma.com/redirtest.html (an empty alert is shown) 3. test provided by Heikki (text is not red) work fine.
Updated•11 years ago
|
Component: DOM: Mozilla Extensions → DOM
Updated•5 years ago
|
Component: DOM → DOM: Core & HTML
You need to log in
before you can comment on or make changes to this bug.
Description
•