Closed Bug 1289626 Opened 8 years ago Closed 8 years ago

PAC's FindProxyForURL is insecure ("Unholy PAC")

Categories

(Core :: Networking, defect)

Product:
Core
Component:
Networking
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1255474

People

(Reporter: andy, Unassigned)

Details

User Agent: Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:47.0) Gecko/20100101 Firefox/47.0
Build ID: 20160623084759

Steps to reproduce:

See: https://www.blackhat.com/us-16/briefings.html#crippling-https-with-unholy-pac

I don't know full details, and I haven't tested it, but presumably what's going on is that FindProxyForURL isn't locked down enough.  I'm guessing there are two classes of vulnerabilities here:

1. FindProxyForURL is passed full URLs even if they use HTTPS.  This directly leaks any sensitive information in the URL to the local network in cleartext.

2. FindProxyForURL is executed in an insufficiently sandboxed context.  From the advisory, it sounds like state is shared between FindProxyForURL invocations, allowing malicious PAC scripts to inject code into one tab based on the URL or (for HTTP) contents of another tab.

I'm not marking this as a "security" bug because it's already public.

If this is already being tracked internally, feel free to close it.
Component: Untriaged → Networking
Product: Firefox → Core
This is a dupe of Bug 1255474, tracked with the security bit enabled still.
Status: UNCONFIRMED → RESOLVED
Closed: 8 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.