371375 - [FIX]Websites can test for URLs visited (pdp Firefox Cache Hack - Firefox History Hack redux)

Status: RESOLVED FIXED

(Core :: Security, defect)

Description

[Ben Bucksch (:BenB)]

Subject: Firefox Cache Hack - Firefox History Hack redux
From: "pdp (architect)" <pdp.gnucitizen@googlemail.com>
To: full-disclosure@lists.grok.org.uk, bugtraq@securityfocus.com,
	"WASC Forum" <websecurity@webappsec.org>
Date: Fri, 23 Feb 2007 12:32:29 +0000
Message-ID: <6905b1570702230432q5a0a5b7eq4839d709748f9b90@mail.gmail.com>


http://www.gnucitizen.org/projects/hscan-redux/

[...]

This vulnerability is not a reworked version of Jeremiah Grossman
history hack. It is completely different and it should be treated as a
new issue. The peculiar thing about this vulnerability is that it
tells you which URLs you have attended during the current browser
session (the last time you opened your browser). I am not sure how
useful this is.

Keep in mind that attackers can abuse this vulnerability in order to
extract valuable information about your browsing habits. They can also
use this hack to precisely detect whether you are logged into your
router management interface. They can use this hack to detect your
router type and version as well. Based on this information, they might
be able to compromise the integrity of your network.

The POC is located [... below]. If all checks show up as NOT visited, then visit one of the listed URLs and retest again.

http://www.gnucitizen.org/projects/hscan-redux/poc.htm

Comment 1

[Ben Bucksch (:BenB)]

It seems you can only test for specific URLs, not really getting the list. Compare bug 147777.

Comment 2

[Boris Zbarsky [:bzbarsky]]

So on trunk this doesn't work at all, because CheckLoadURI blocks the loads.  On branch, it doesn't because about: is a ChromeProtocol and <script> is allowed to load such on branch (because we want to allow loading of chrome:// scripts or something).

Now why the heck is about: a ChromeProtocol instead of a DenyProtocol?  It used to be the latter, but then the change to implement about:about in bug 56061 changed it.  The comments about the security implications of that change in that bug are completely bogus.  It allowed a heck of a lot more than chrome:// URIs to load about: URIs.  And more importantnly, chrome:// should already have the system principal, so on the 1.8 branch (where we use CheckLoadURIWithPrincipal in all the sane cases) we really don't need that change.

Comment 3

[Boris Zbarsky [:bzbarsky]]

Attachment: Fix

Comment 4

[Boris Zbarsky [:bzbarsky]]

Attachment: Regression test

Comment 5

[kitchin]

Why should <script> be able to load chrome:// ?

Comment 6

[Boris Zbarsky [:bzbarsky]]

Long story which doesn't really belong here.  See bug 292789.

Comment 7

[Daniel Veditz [:dveditz]]

Comment on attachment 256194 [details] [diff] [review]
Fix

r/sr=dveditz

Comment 8

[Daniel Veditz [:dveditz]]

Note that this means on-disk help pages can't link to things like about:license or about:credits.  Not worth opening privacy holes for, but prepare for complaints.

Comment 9

[Boris Zbarsky [:bzbarsky]]

Not sure why this was filed as a trunk bug, since the issue is branch-only.

Comment 10

[Boris Zbarsky [:bzbarsky]]

> Note that this means on-disk help pages 

Hmm... Are those something we ship?

Comment 11

[Daniel Veditz [:dveditz]]

we (Mozilla) don't, no, but some distros/OEMs might. But then, I'm not sure they're linking to about: anything from there. Just thought I'd mention it in case it reminded someone of a similar use.

Comment 12

[Daniel Veditz [:dveditz]]

Comment on attachment 256194 [details] [diff] [review]
Fix

approved for 1.8/1.8.0 branches, a=dveditz for drivers

Comment 13

[Boris Zbarsky [:bzbarsky]]

Fixed on both branches, tests checked in.