Closed Bug 460002 (CVE-2008-5022) Opened 16 years ago Closed 16 years ago

It's possible to circumvent the inner window check in nsXMLHttpRequest::NotifyEventListeners()

Categories

(Core :: Security, defect)

x86
Windows XP
defect
Not set
normal

Tracking

()

VERIFIED FIXED

People

(Reporter: moz_bug_r_a4, Assigned: smaug)

Details

(Keywords: verified1.8.1.18, verified1.9.0.4, Whiteboard: [sg:high])

Attachments

(6 files)

This bug is for fx3.0.x and fx2.0.0.x.

In nsXMLHttpRequest::NotifyEventListeners(), CheckInnerWindowCorrectness() is
called only once, and then multiple listeners are called.  Thus, it's possible
to circumvent the inner window check by using two listeners.

(Trunk is also exploitable in the same way, but depends on bug 460001.)
Attached file testcase 1
This tries to get cookies for www.mozilla.com.
This works on fx3.0.x.
Attached file testcase 2
This tries to get cookies for www.mozilla.com.
This works on fx2.0.0.x.
Assignee: nobody → Olli.Pettay
Flags: blocking1.9.0.4?
Flags: blocking1.8.1.18?
For some reason I can't reproduce on ff2.0.0.x, using either of testcase.
Testcase 1 shows the bug on FF3
Attached patch for 1.9.0Splinter Review
Fixes FF3
Attachment #343213 - Flags: superreview?(jonas)
Attachment #343213 - Flags: review?(jonas)
Attached patch for 1.8Splinter Review
Should fix 1.8. Note, the first check can't be removed in 1.8, because there is one HandleEvent call before the loop.
Anyone who can reproduce on FF2, please verify that this fixes the problem.
Attachment #343214 - Flags: superreview?(jonas)
Attachment #343214 - Flags: review?(jonas)
Flags: wanted1.9.0.x+
Flags: wanted1.8.1.x+
Whiteboard: [sg:high]
Flags: blocking1.9.0.4?
Flags: blocking1.9.0.4+
Flags: blocking1.8.1.18?
Flags: blocking1.8.1.18+
I can reproduce "testcase 2" on Windows, but cannot on Linux.  I'll attach a
new testcase that is reproducible on fx2 on both Windows and Linux.

And, using the new testcase on Linux, I verified that the patch fixes the
problem.
Attached file testcase 3
This tries to get cookies for www.mozilla.com.
This works on fx2.0.0.x on Windows and Linux.
Attachment #343213 - Flags: superreview?(jonas)
Attachment #343213 - Flags: superreview+
Attachment #343213 - Flags: review?(jonas)
Attachment #343213 - Flags: review+
Attachment #343214 - Flags: superreview?(jonas)
Attachment #343214 - Flags: superreview+
Attachment #343214 - Flags: review?(jonas)
Attachment #343214 - Flags: review+
Attachment #343213 - Flags: approval1.9.0.4?
Attachment #343214 - Flags: approval1.8.1.18?
Comment on attachment 343214 [details] [diff] [review]
for 1.8

Approved for 1.8.1.18, a=dveditz for release-drivers
Attachment #343214 - Flags: approval1.8.1.18? → approval1.8.1.18+
Comment on attachment 343213 [details] [diff] [review]
for 1.9.0

Approved for 1.9.0.4, a=dveditz for release-drivers
Attachment #343213 - Flags: approval1.9.0.4? → approval1.9.0.4+
Status: NEW → RESOLVED
Closed: 16 years ago
Resolution: --- → FIXED
Verified for 1.8.1.18 with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.18pre) Gecko/2008102103 BonEcho/2.0.0.18pre.
Verified for 1.9.0.4 with Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.0.4pre) Gecko/2008102104 GranParadiso/3.0.4pre using both testcases.
Verified that this is not an issue in 3.1 with Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1b2pre) Gecko/20081020 Minefield/3.1b2pre.
Status: RESOLVED → VERIFIED
Comment on attachment 343214 [details] [diff] [review]
for 1.8

a=asac for 1.8.0 branch (needs some context adjustments)
Attachment #343214 - Flags: approval1.8.0.15+
Alias: CVE-2008-5022
Group: core-security
Flags: blocking1.8.0.next+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: