Closed
Bug 477039
Opened 15 years ago
Closed 15 years ago
IETab exposes its entire API to web pages
Categories
(addons.mozilla.org Graveyard :: Administration, defect)
addons.mozilla.org Graveyard
Administration
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: jwkbugzilla, Unassigned)
References
()
Details
Attachments
(1 file)
179 bytes,
text/html
|
Details |
In the file content/ietabOverlay.js, there is a method assignJSObject: if (contentDocument && contentDocument.getElementById('IETab')) { var ietab = contentDocument.getElementById('IETab'); if (ietab.wrappedJSObject) ietab = ietab.wrappedJSObject; ietab.requestTarget = gIeTab; } This is meant to be used only by the extension's own chrome document that acts as a wrapper for the IE plugin. However, any web page containing an element with ID "IETab" will get access to gIeTab object as well. Proof-of-concept exploit attached - install IE Tab 1.5.20081203 and open that the exploit page, it will open http://google.com/ in an Internet Explorer tab using addIeTab() method (nice way to exploit Internet Explorer bugs from Firefox). This API was never meant to be called by untrusted code so I am sure that there are many other ways to abuse it as well (e.g. addBookmarkMenuitem() can probably be used to run JavaScript code in chrome context and goDoCommand() method also looks very promising).
Hello Wladimir, I've changed the code on assignJSObject() to fix this security problem: if (aDoc instanceof HTMLDocument) { var aBrowser = getBrowser().getBrowserForDocument(aDoc); if (aBrowser && aBrowser.currentURI && aBrowser.currentURI.spec.indexOf(gIeTabChromeStr) == 0) { if (aDoc && aDoc.getElementById('IETab')) { var ietab = aDoc.getElementById('IETab'); if (ietab.wrappedJSObject) ietab = ietab.wrappedJSObject; ietab.requestTarget = gIeTab; } } } Dear Rey, The new version has been uploaded to AMO, please help to review it. Thank you.
Reporter | ||
Comment 3•15 years ago
|
||
I checked version 1.5.20090207, that issue seems to be fixed (both instances of it). IE Tab will now only accept the page as "its own" if the URL matches.
Reporter | ||
Updated•15 years ago
|
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
Assignee | ||
Updated•8 years ago
|
Product: addons.mozilla.org → addons.mozilla.org Graveyard
Updated•8 years ago
|
Group: client-services-security
Flags: needinfo?(jorge)
You need to log in
before you can comment on or make changes to this bug.
Description
•