Closed Bug 293424 Opened 19 years ago Closed 19 years ago

Malicious website can access chrome

Categories

(Core :: Security: CAPS, defect)

Product:
Core
Component:
Security: CAPS
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
major

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: pvnick, Assigned: mconnor)

References

(
URL
)

Details

(Keywords: fixed-aviary1.0.5, fixed1.7.9, Whiteboard: [sg:fix] need landing)

Attachments

(1 file)

block about: from chrome
1.13 KB, patch
brendan
: superreview+
jay
: approval-aviary1.0.5+
brendan
: approval-aviary1.1a2+
Details | Diff | Splinter Review 
User-Agent:       Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.7) Gecko/20050414 Firefox/1.0.3

The url "about:" can be accessed by a website, but it takes some cross site 
scripting (using another vuln submitted by me) to javascript:document.write
(""); onto the about: page to show its true url 
(chrome://global/content/about.xhtml). From there, the page is treated under 
chrome priviledges and system access is easy.

Reproducible: Always

Steps to Reproduce:
1. http://greyhatsecurity.org/secretfoldervulns/about.htm
2. Click the link
3. Wait about 2 seconds
Actual Results:  
Script executed in chrome

Expected Results:  
about: page navigation from internet pages should be disallowed
Status: UNCONFIRMED → NEW
Ever confirmed: true
Flags: blocking1.8b3+
Flags: blocking-aviary1.1+
Flags: blocking-aviary1.0.4+
Whiteboard: [sg:fix]
Blocks: sbb?
Testcase doesn't work in my current build, but linking to about: seems to be a
bad thing in general.
Assignee: nobody → mconnor
Whiteboard: [sg:fix] → [sg:fix] -need patch
I can't think of anything this would break...

We should think about the "about:foo points to chrome" concept as a potential
attack vector in general.  Shaver's suggestion was to deprivillege about:
completely, moving about:config and friends requiring chrome access to
system:*, and possibly blocking any linking to these URLs.  What's left in
about: should not have chrome URLs or any privs at all.

But for the branch, we can just flip this off, the others seem to be safe, for
now (and in about 5 minutes, someone will prove me wrong I'm sure).
Attachment #186337 - Flags: superreview?(brendan)
Attachment #186337 - Flags: review?(brendan)
Brendan:  Can you review the patches and give the a= so we can get this checked
in soon?  Thanks.
Comment on attachment 186337 [details] [diff] [review]
block about: from chrome

Yeah, let's go.  This is overdue.

/be
Attachment #186337 - Flags: superreview?(brendan)
Attachment #186337 - Flags: superreview+
Attachment #186337 - Flags: review?(brendan)
Attachment #186337 - Flags: review+
Attachment #186337 - Flags: approval-aviary1.1a2+
Comment on attachment 186337 [details] [diff] [review]
block about: from chrome

We want this on the branch too. a=jay
Attachment #186337 - Flags: approval-aviary1.0.5+
i seem to recall having a patch which we backed out that let documents retain
their proper url instead of having them morph :(
Component: General → Security: CAPS
Flags: review+
Product: Firefox → Core
Version: unspecified → Trunk
Updated product/component per timeless. Since this is core, we should probably
get this in 1.7.9 also, right?  Nominating...
Flags: blocking1.7.9?
Whiteboard: [sg:fix] -need patch → [sg:fix] need landing
checked in to aviary/1.7/trunk
Status: NEW → RESOLVED
Closed: 19 years ago
Keywords: fixed-aviary1.0.5, fixed1.7.9
Resolution: --- → FIXED
Flags: blocking1.7.9? → blocking1.7.9+
v.fixed on aviary with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.9)
Gecko/20050706 Firefox/1.0.5 using original testcase.  about: cannot be loaded.
Adding distributors
FF1.0.5 advisories published
Group: security
Flags: testcase+
Flags: in-testsuite+ → in-testsuite?
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: