Closed
Bug 284627
Opened 19 years ago
Closed 19 years ago
arbitrary code execution via sidebar
Categories
(Firefox :: Security, defect)
Firefox
Security
Tracking
()
VERIFIED
FIXED
People
(Reporter: u115577, Assigned: mconnor)
Details
(Keywords: fixed-aviary1.0.2, testcase, Whiteboard: [sg:fix] CAN-2005-0402)
Attachments
(6 files, 1 obsolete file)
679 bytes,
text/html
|
Details | |
519 bytes,
text/html
|
Details | |
892 bytes,
text/html
|
Details | |
519 bytes,
text/html
|
Details | |
1.10 KB,
text/html
|
Details | |
3.98 KB,
patch
|
bryner
:
review+
dveditz
:
superreview+
asa
:
approval-aviary1.0.2+
|
Details | Diff | Splinter Review |
User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.7.6) Gecko/20050223 Firefox/1.0.1 Build Identifier: Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.8b2) Gecko/20050302 Firefox/1.0+ Sidebar allows an attacker to link to the privileged content (such as about:config) and run arbitrary code on the content. Reproducible: Always Steps to Reproduce: 1. Bookmark testcase as sidebar panel 2. Click links in order Actual Results: about:config is loaded. "browser.startup.homepage" will be overwritten. Further attacks can be done successfully. Expected Results: Link to the privileged content should be blocked.
Sorry for spam... Steps to Reproduce (corrected): 1. Bookmark testcase as sidebar panel 2. Select "Sidebar Attack Test" from your bookmark and load it in the sidebar 3. Click links in order
This test case will erase localstore.rdf file in your profile directory.
Comment 6•19 years ago
|
||
> 1. Bookmark testcase as sidebar panel
Is this a Firefox-specific feature? I don't see a way to do this in Mozilla...
(In reply to comment #6) >> 1. Bookmark testcase as sidebar panel > > Is this a Firefox-specific feature? I don't see a way to do this in Mozilla... This "add sidebar tab" feature works in Mozilla Suite too. But to do so, you have to open sidebar at least once with new profile. Maybe known bug. In Mozilla Suite, the testcase failed to load about:config. Expected security error appears in JavaScript Console. This is a Firefox-specific bug.
Updated•19 years ago
|
Assignee: dveditz → firefox
Status: UNCONFIRMED → NEW
Component: Security: General → General
Ever confirmed: true
Flags: blocking-aviary1.1?
Product: Core → Firefox
QA Contact: general
Comment 8•19 years ago
|
||
There also seems to be no "security" component for Firefox, so putting in General, I guess.... This sounds like a pretty critical issue to me, though.
Assignee | ||
Updated•19 years ago
|
Assignee: firefox → mconnor
Assignee | ||
Comment 9•19 years ago
|
||
Because we special-cased web panel links here, we skipped any existing security checks, and just loaded stuff directly. Yay us. This patch handles both testcases properly, with proper errors in the JS console. Bonus: By forcing javascript: links to execute in the sidebar, sidebars like http://sidebar.cnn.com/browsers/ns6/cnn.com.expanded.html will now work.
Attachment #176416 -
Flags: review?(bugs)
Comment 10•19 years ago
|
||
Comment on attachment 176416 [details] [diff] [review] add security check to web panel links r=ben@mozilla.org
Attachment #176416 -
Flags: review?(bugs) → review+
Updated•19 years ago
|
Flags: blocking-aviary1.0.2?
Whiteboard: [sg:fix]
Assignee | ||
Updated•19 years ago
|
Attachment #176416 -
Flags: approval-aviary1.0.2?
Comment 11•19 years ago
|
||
Comment on attachment 176416 [details] [diff] [review] add security check to web panel links Any way to fix this via an update to the two .js files, not a full app update? /be
Attachment #176416 -
Flags: approval-aviary1.0.2? → approval-aviary1.0.2+
Comment 12•19 years ago
|
||
mconnor, thanks for patching. /be
Flags: blocking-aviary1.1?
Flags: blocking-aviary1.1+
Flags: blocking-aviary1.0.2?
Flags: blocking-aviary1.0.2+
Assignee | ||
Comment 13•19 years ago
|
||
Not specifically the two js files, but both are contained in browser.jar and we can just install a new copy over top with an XPI. Zipped, the current browser.jar is 261k on Windows.
Comment 14•19 years ago
|
||
yeah, that sounds like a reasonable solution provided the firefox user has write permission to the installation directory.
Reporter | ||
Comment 15•19 years ago
|
||
"data:" URL example.
Assignee | ||
Comment 16•19 years ago
|
||
Hmm, the downside of the XPI route is the old "running 'sudo firefox' nukes bookmarks and friends" problem that hit people the last time we issued an XPI security release. If we go down that route, we need to have a significant warning in the instructions for *nix boxes.
Comment 17•19 years ago
|
||
Comment on attachment 176416 [details] [diff] [review] add security check to web panel links Er... Can't sites change what document.location returns by setting up Js object setters, etc? As in, don't you need a sprinkling of XPCNativeWrapper in this code? Specifically: 1) You want to get the ownerDocument from a wrapper (say change |wrapper| to also expose ownerDocument). 2) You then want to wrap the document before getting .location. 3) You probably also want to wrap the location object itself... Marking review-, since this patch doesn't actually prevent a sufficiently malicious site from exploiting this code...
Attachment #176416 -
Flags: review+ → review-
Assignee | ||
Comment 18•19 years ago
|
||
Attachment #176416 -
Attachment is obsolete: true
Assignee | ||
Updated•19 years ago
|
Attachment #176487 -
Flags: approval-aviary1.0.2?
Comment 19•19 years ago
|
||
I assume these flags were group-moved to 1.0.3, we really want this in 1.0.2 I think.
Flags: blocking-aviary1.0.2+
Comment 21•19 years ago
|
||
Comment on attachment 176487 [details] [diff] [review] patch with more wrapper-fu a=asa for 1.0.2 landing.
Attachment #176487 -
Flags: approval-aviary1.0.3? → approval-aviary1.0.2+
Comment 22•19 years ago
|
||
Comment on attachment 176487 [details] [diff] [review] patch with more wrapper-fu setting review flags
Attachment #176487 -
Flags: superreview?(dveditz)
Attachment #176487 -
Flags: review?(bzbarsky)
Updated•19 years ago
|
Attachment #176487 -
Flags: review?(bzbarsky) → review+
Comment 23•19 years ago
|
||
Comment on attachment 176487 [details] [diff] [review] patch with more wrapper-fu sr=dveditz bz says he gave a verbal r= to this patch when it was first posted, just never made it into the bug.
Attachment #176487 -
Flags: superreview?(dveditz) → superreview+
Comment 24•19 years ago
|
||
Fix checked in to trunk and aviary-1.0.1 branch
Reporter | ||
Comment 25•19 years ago
|
||
Verified on Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.8b2) Gecko/20050317 Firefox/1.0+ JavaScript Console says "Security Error: Content at https://bugzilla.mozilla.org/attachment.cgi?id=176250 may not load or link to about:config."
Comment 26•19 years ago
|
||
this also looks good using 2005031707-1.0.2 firefox bits on linux fc3 with the 2 test cases.
Keywords: testcase
Comment 27•19 years ago
|
||
looks good on Windows 2005-03-17-06-aviary1.0.1
Status: RESOLVED → VERIFIED
Comment 29•19 years ago
|
||
Advisory published: http://www.mozilla.org/security/announce/mfsa2005-31.html
Group: security
Comment 30•19 years ago
|
||
(In reply to comment #2) > Created an attachment (id=176153) [edit] > add sidebar panel page The following errors go out to JavaScrip Console when this test case is executed. Error: makeURI is not defined Source File: chrome://browser/content/contentAreaUtils.js Line: 108 Windows XP SP1 Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.6) Gecko/20050317 Firefox/1.0.2
Updated•19 years ago
|
Flags: testcase+
Updated•17 years ago
|
Flags: in-testsuite+ → in-testsuite?
You need to log in
before you can comment on or make changes to this bug.
Description
•