Closed
Bug 1242012
Opened 8 years ago
Closed 8 years ago
Thunderbird xss while opening mails by performing a search
Categories
(Thunderbird :: Security, defect)
Tracking
(Not tracked)
RESOLVED
WORKSFORME
People
(Reporter: researchertriponoid, Unassigned)
Details
(Whiteboard: sec-high if we can reproduce this)
Attachments
(1 file)
142.22 KB,
image/png
|
Details |
User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0 Build ID: 20160105164030 Steps to reproduce: Simply, open Mozilla Thunderbird : - Go to File > New > Message - Go to Insert > HTML - Paste the following html code and click Insert . Code to paste : <iframe style="position:absolute;top:0;left:0;width:100%;height:100%" onmouseover="prompt(/XSS by Researcher triponoid: triponoid.com/)"> -Send mail to anyone using the thunderbird client -Victim opens mail and keeps it open in the tab. -Victim performs a search and opens a mail containing HTML files. Actual results: When the victim opens the mail he will see empty iframe (or empty mail), but when victim keeps this mail open and performs a search to open a mail containing some HTML elements the payload will be activated. XSS javascript prompt comes with message /XSS by Researcher triponoid: triponoid.com/ See screenvideo for more details: https://vid.me/Oeky Expected results: This should be filtered.
Reporter | ||
Updated•8 years ago
|
Reporter | ||
Updated•8 years ago
|
Severity: normal → major
Component: Search → General
Summary: Thunderbird xss while opening mails by a search → Thunderbird xss while opening mails by performing a search
Comment 1•8 years ago
|
||
Haven't been able to reproduce this so far. Does the opened mail need to be special somehow?
Reporter | ||
Comment 2•8 years ago
|
||
(In reply to Magnus Melin from comment #1) > Haven't been able to reproduce this so far. > > Does the opened mail need to be special somehow? The thingy is there isn't any frequency in prompting the requested message. The opened mail that you'll need to keep open needs to contain the following html code: <iframe style="position:absolute;top:0;left:0;width:100%;height:100%" onmouseover="prompt(/XSS by Researcher triponoid: triponoid.com/)"> Steps to reproduce: - Go to File > New > Message - Go to Insert > HTML - Paste the following HTML code and click Insert: <iframe style="position:absolute;top:0;left:0;width:100%;height:100%" onmouseover="prompt(/XSS by Researcher triponoid: triponoid.com/)"> -Send mail to anyone (in this case yourself) using the thunderbird client -Open up this mail in thunderbird as a tab (by double-clicking the email, see video above) -Perform a search and open up some emails (most effective with emails containing HTML elements)
Updated•8 years ago
|
Component: General → Security
Reporter | ||
Comment 3•8 years ago
|
||
More details about how to reproduce this: You need to open Thunderbird and let it running for a while (in my test cases I let it run for at least 2 minutes or at least as long as the syncing of your mails is finished.) Reproduce the exploit: - Go to File > New > Message - Go to Insert > HTML - Paste the following HTML code and click Insert: <iframe style="position:absolute;top:0;left:0;width:100%;height:100%" onmouseover="prompt(/XSS by Researcher triponoid: triponoid.com/)"> - Send it to any mail in your thunderbird client. (I've called it payload) - Send the same mail again with steps above to the same address in my demo (I've called it payload activation.) - Close your thunderbird client - Reopen your thunderbird client and keep it running for at least 2 minutes without doing anything - Open the mail that you've sent to yourself as a tab - Search for a mail using thunderbird global search within this tab - Open several mails containing HTML code or search for the mail that you've sent earlier to yourself called payload activation. - After some period an XSS should be displayed. On this test I was using Thunderbird client 38.5.1 on Windows 10. A new video demonstrating this security issue: https://vid.me/Vulk
Comment 4•8 years ago
|
||
Giving this a "web-security" keyword has hidden this from client triage.
Keywords: wsec-xss
Reporter | ||
Comment 5•8 years ago
|
||
This bug still occurs on the new version: 38.6.0
Reporter | ||
Updated•8 years ago
|
Severity: major → critical
Comment 6•8 years ago
|
||
Now that we have more explicit steps in comment 3, can we investigate this further?
Updated•8 years ago
|
Flags: sec-bounty?
Comment 7•8 years ago
|
||
Adding Jorgk to cc: to see if he has any interest in investigating this.
Comment 9•8 years ago
|
||
(In reply to Al Billings [:abillings] from comment #8) > Did you mean to CC someone in comment 7, Kent? Yes, he is mozilla@jorgk.com on the cc list.
Flags: needinfo?(rkent)
Comment 10•8 years ago
|
||
I still can't reproduce. researchertriponoid: Could you please open the Help menu and open the "Troubleshooting Information" item. You could either use the "Copy text to clipboard" button to grab it all and paste it in here, or if you're concerned about leaking your mail server name at least copy the Extensions and the following "Important Modified Preferences" sections and attach or paste them here. Sorry I don't know the Dutch translations but hopefully they will be obvious.
Flags: needinfo?(researchertriponoid)
Reporter | ||
Comment 11•8 years ago
|
||
Here is the paste: (Sorry for the Dutch words, I've translated the topics you are looking for) Toepassingsbasics Naam: Thunderbird Versie: 38.7.2 Useragent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:38.0) Gecko/20100101 Thunderbird/38.7.2 Profielmap: Map tonen (Lokaal station) Build-ID van de toepassing: 20160402193654 Ingeschakelde plug-ins: about:plugins Buildconfiguratie: about:buildconfig Geheugengebruik: about:memory Crashrapporten http://crash-stats.mozilla.com/report/index/bp-185268ef-894f-4e07-936d-931b02160130 (30/01/2016) Extensies = (Extensions) Lightning, 4.0.7.2, true, {e2fda1a4-762b-4020-b5ad-a41df1933103} Belangrijke aangepaste voorkeuren = (Important Modified Preferences) Naam: Waarde = (Name: Value) browser.cache.disk.capacity: 358400 browser.cache.disk.smart_size_cached_value: 358400 browser.cache.disk.smart_size.first_run: false browser.cache.disk.smart_size.use_old_max: false extensions.lastAppVersion: 38.7.2 font.internaluseonly.changed: false font.name.monospace.el: Consolas font.name.monospace.x-cyrillic: Consolas font.name.monospace.x-unicode: Consolas font.name.monospace.x-western: Consolas font.name.sans-serif.el: Calibri font.name.sans-serif.x-cyrillic: Calibri font.name.sans-serif.x-unicode: Calibri font.name.sans-serif.x-western: Calibri font.name.serif.el: Cambria font.name.serif.x-cyrillic: Cambria font.name.serif.x-unicode: Cambria font.name.serif.x-western: Cambria font.size.fixed.el: 14 font.size.fixed.x-cyrillic: 14 font.size.fixed.x-unicode: 14 font.size.fixed.x-western: 14 font.size.variable.el: 17 font.size.variable.x-cyrillic: 17 font.size.variable.x-unicode: 17 font.size.variable.x-western: 17 mail.openMessageBehavior.version: 1 mail.winsearch.firstRunDone: true mailnews.database.global.datastore.id: 2fdbf653-bda3-4765-8f87-a3b25aba393 mailnews.database.global.views.conversation.columns: {"threadCol":{"visible":true,"ordinal":"1"},"flaggedCol":{"visible":true,"ordinal":"3"},"attachmentCol":{"visible":false… network.cookie.prefsMigrated: true network.predictor.cleaned-up: true places.database.lastMaintenance: 1460498511 places.history.expiration.transient_current_max_pages: 101907 plugin.importedState: true Grafisch = (Graphics) Adapterbeschrijving: Intel(R) HD Graphics Vendor-ID: 0x8086 Device-ID: 0x0046 Adapter-RAM: Unknown Adapterstuurprogramma’s: igdumd64 igd10umd64 igdumdx32 igd10umd32 Stuurprogrammaversie: 8.15.10.2900 Datum stuurprogramma: 11-26-2012 Direct2D ingeschakeld: false DirectWrite ingeschakeld: false (10.0.10240.16430) ClearType-parameters: ClearType-parameters niet gevonden WebGL-renderer: false GPU-versnelde vensters: 0 AzureCanvasBackend: skia AzureSkiaAccelerated: 0 AzureFallbackCanvasBackend: cairo AzureContentBackend: cairo JavaScript Incrementele GC: 1 Toegankelijkheid Geactiveerd: 0 Toegankelijkheid voorkomen: 0 Bibliotheekversies Verwachte minimale versie Gebruikte versie NSPR 4.10.10 4.10.10 NSS 3.19.2.3 Basic ECC 3.19.2.3 Basic ECC NSS Util 3.19.2.3 3.19.2.3 NSS SSL 3.19.2.3 Basic ECC 3.19.2.3 Basic ECC NSS S/MIME 3.19.2.3 Basic ECC 3.19.2.3 Basic ECC
Flags: needinfo?(researchertriponoid)
Updated•8 years ago
|
Flags: needinfo?(dveditz)
Comment 12•8 years ago
|
||
There's nothing in your about:support that's significantly different from what I have that would affect this functionality. I have a couple of add-ons in addition to Lightning, but even with all of them disabled I still cannot reproduce what I see in the video.
Flags: needinfo?(dveditz)
Whiteboard: sec-high if we can reproduce this
Reporter | ||
Comment 13•8 years ago
|
||
Ok so I've copied both mail sources now. This one is the payload: <html> <head> <meta http-equiv="content-type" content="text/html; charset=utf-8"> </head> <body text="#000000" bgcolor="#FFFFFF"> <iframe style="position:absolute;top:0;left:0;width:100%;height:100%" onmouseover="prompt(/XSS by Researcher triponoid: triponoid.com/)"><br> </iframe> </body> </html> and this one is the payload activation <html> <head> <meta http-equiv="content-type" content="text/html; charset=utf-8"> </head> <body text="#000000" bgcolor="#FFFFFF"> <iframe style="position:absolute;top:0;left:0;width:100%;height:100%" onmouseover="prompt(/XSS by Researcher triponoid: triponoid.com/)"><br> </iframe> </body> </html> So basically it's the same payload 2 times. If you are still not able to reproduce it I am allowing you to remote control my thunderbird/windows.
Comment 14•8 years ago
|
||
The bug bounty committee is going to minus this bug without a clear ability to reproduce. Please work with the community Thunderbird developers ni?jorgk for comment 7
Flags: sec-bounty?
Flags: sec-bounty-
Flags: needinfo?(mozilla)
Comment 15•8 years ago
|
||
I've looked at it briefly and don't think I have the right skill set, I'm sorry. Plus I was really busy with TB 45.0 and 45.1 releases and regressions.
Flags: needinfo?(mozilla)
Comment 16•8 years ago
|
||
Still can't reproduce with exactly the mails included in comment 13
Status: UNCONFIRMED → RESOLVED
Closed: 8 years ago
Resolution: --- → WORKSFORME
Updated•7 years ago
|
Group: mail-core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•