Closed Bug 477039 Opened 15 years ago Closed 15 years ago

IETab exposes its entire API to web pages

Categories

(addons.mozilla.org Graveyard :: Administration, defect)

Product:
addons.mozilla.org Graveyard
Component:
Administration
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: jwkbugzilla, Unassigned)

References

(
URL
)

Details

Attachments

(1 file)

PoC exploit
179 bytes, text/html
Details
Attached file PoC exploit 
In the file content/ietabOverlay.js, there is a method assignJSObject:

   if (contentDocument && contentDocument.getElementById('IETab')) {
      var ietab = contentDocument.getElementById('IETab');
      if (ietab.wrappedJSObject) ietab = ietab.wrappedJSObject;
      ietab.requestTarget = gIeTab;
   }

This is meant to be used only by the extension's own chrome document that acts as a wrapper for the IE plugin. However, any web page containing an element with ID "IETab" will get access to gIeTab object as well. Proof-of-concept exploit attached - install IE Tab 1.5.20081203 and open that the exploit page, it will open http://google.com/ in an Internet Explorer tab using addIeTab() method (nice way to exploit Internet Explorer bugs from Firefox). This API was never meant to be called by untrusted code so I am sure that there are many other ways to abuse it as well (e.g. addBookmarkMenuitem() can probably be used to run JavaScript code in chrome context and goDoCommand() method also looks very promising).
The developer has been emailed
Hello Wladimir,

I've changed the code on assignJSObject() to fix this security problem:

if (aDoc instanceof HTMLDocument) {
   var aBrowser = getBrowser().getBrowserForDocument(aDoc);
   if (aBrowser && aBrowser.currentURI && aBrowser.currentURI.spec.indexOf(gIeTabChromeStr) == 0) {
      if (aDoc && aDoc.getElementById('IETab')) {
         var ietab = aDoc.getElementById('IETab');
         if (ietab.wrappedJSObject) ietab = ietab.wrappedJSObject;
         ietab.requestTarget = gIeTab;
      }
   }
}

Dear Rey,
The new version has been uploaded to AMO, please help to review it.

Thank you.
I checked version 1.5.20090207, that issue seems to be fixed (both instances of it). IE Tab will now only accept the page as "its own" if the URL matches.
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
Product: addons.mozilla.org → addons.mozilla.org Graveyard
I think that this should be public by now.
Flags: needinfo?(jorge)
Group: client-services-security
Flags: needinfo?(jorge)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: