Closed
Bug 293424
Opened 19 years ago
Closed 19 years ago
Malicious website can access chrome
Categories
(Core :: Security: CAPS, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: pvnick, Assigned: mconnor)
References
()
Details
(Keywords: fixed-aviary1.0.5, fixed1.7.9, Whiteboard: [sg:fix] need landing)
Attachments
(1 file)
1.13 KB,
patch
|
brendan
:
superreview+
jay
:
approval-aviary1.0.5+
brendan
:
approval-aviary1.1a2+
|
Details | Diff | Splinter Review |
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322) Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.7) Gecko/20050414 Firefox/1.0.3 The url "about:" can be accessed by a website, but it takes some cross site scripting (using another vuln submitted by me) to javascript:document.write (""); onto the about: page to show its true url (chrome://global/content/about.xhtml). From there, the page is treated under chrome priviledges and system access is easy. Reproducible: Always Steps to Reproduce: 1. http://greyhatsecurity.org/secretfoldervulns/about.htm 2. Click the link 3. Wait about 2 seconds Actual Results: Script executed in chrome Expected Results: about: page navigation from internet pages should be disallowed
Updated•19 years ago
|
Status: UNCONFIRMED → NEW
Ever confirmed: true
Flags: blocking1.8b3+
Flags: blocking-aviary1.1+
Flags: blocking-aviary1.0.4+
Whiteboard: [sg:fix]
Assignee | ||
Comment 1•19 years ago
|
||
Testcase doesn't work in my current build, but linking to about: seems to be a bad thing in general.
Assignee: nobody → mconnor
Updated•19 years ago
|
Whiteboard: [sg:fix] → [sg:fix] -need patch
Assignee | ||
Comment 2•19 years ago
|
||
I can't think of anything this would break... We should think about the "about:foo points to chrome" concept as a potential attack vector in general. Shaver's suggestion was to deprivillege about: completely, moving about:config and friends requiring chrome access to system:*, and possibly blocking any linking to these URLs. What's left in about: should not have chrome URLs or any privs at all. But for the branch, we can just flip this off, the others seem to be safe, for now (and in about 5 minutes, someone will prove me wrong I'm sure).
Attachment #186337 -
Flags: superreview?(brendan)
Attachment #186337 -
Flags: review?(brendan)
Comment 3•19 years ago
|
||
Brendan: Can you review the patches and give the a= so we can get this checked in soon? Thanks.
Comment 4•19 years ago
|
||
Comment on attachment 186337 [details] [diff] [review] block about: from chrome Yeah, let's go. This is overdue. /be
Attachment #186337 -
Flags: superreview?(brendan)
Attachment #186337 -
Flags: superreview+
Attachment #186337 -
Flags: review?(brendan)
Attachment #186337 -
Flags: review+
Attachment #186337 -
Flags: approval-aviary1.1a2+
Comment 5•19 years ago
|
||
Comment on attachment 186337 [details] [diff] [review] block about: from chrome We want this on the branch too. a=jay
Attachment #186337 -
Flags: approval-aviary1.0.5+
i seem to recall having a patch which we backed out that let documents retain their proper url instead of having them morph :(
Updated•19 years ago
|
Component: General → Security: CAPS
Flags: review+
Product: Firefox → Core
Version: unspecified → Trunk
Comment 7•19 years ago
|
||
Updated product/component per timeless. Since this is core, we should probably get this in 1.7.9 also, right? Nominating...
Flags: blocking1.7.9?
Updated•19 years ago
|
Whiteboard: [sg:fix] -need patch → [sg:fix] need landing
Assignee | ||
Comment 8•19 years ago
|
||
checked in to aviary/1.7/trunk
Status: NEW → RESOLVED
Closed: 19 years ago
Keywords: fixed-aviary1.0.5,
fixed1.7.9
Resolution: --- → FIXED
Updated•19 years ago
|
Flags: blocking1.7.9? → blocking1.7.9+
Comment 9•19 years ago
|
||
v.fixed on aviary with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.9) Gecko/20050706 Firefox/1.0.5 using original testcase. about: cannot be loaded.
Comment 10•19 years ago
|
||
Adding distributors
Updated•19 years ago
|
Flags: testcase+
Updated•17 years ago
|
Flags: in-testsuite+ → in-testsuite?
You need to log in
before you can comment on or make changes to this bug.
Description
•