Closed
Bug 48697
Opened 24 years ago
Closed 24 years ago
Bookmarked URLs can execute JS code with XPConnect calls
Categories
(Core :: Security: CAPS, defect, P3)
Core
Security: CAPS
Tracking
()
VERIFIED
INVALID
People
(Reporter: law, Assigned: security-bugs)
References
()
Details
It seems as if javascript: bookmark URLs are evaluated in a context that permits access to XPConnect. This seems like it might be a security hole, especially since I just fixed bug 17524 which means that we now permit users to bookmark links (without actually visiting the page). The exploit I'm envisioning would be something like a web page that says "Bookmark this link to right now!" and the link contains malicious javascript/XPConnect code. I've set the URL in this bug to one that would demonstrate the problem (I think), if you were to right-click on this link and bookmark it. Unfortunately, you can't do that right this minute because I just checked in the fix for bug 17524 so it won't work till Monday's build. If you refresh navigator.xul and nsContextMenu.js, it should work. Alternatively, you can test this hole by simply doing "Manage Bookmarks" and change a bookmark URL to be this, or something similar.
Assignee | ||
Comment 1•24 years ago
|
||
I can get access to Components from any kind of script, either content Javascript or a JS URL. However, I can't access Components.classes. I think access to Components might be allowed to all, because it is harmless...but I could be wrong. Jband, is this an indication of dangerous behavior, or is this expected? Bill, can you generate a dangerous exploit?
No, not without trying harder, I guess. Sorry for the false alarm. I figured that xpconnect would be blocked by blocking access to the Components object in its entirety. Resolving as INVALID.
Status: NEW → RESOLVED
Closed: 24 years ago
Resolution: --- → INVALID
You need to log in
before you can comment on or make changes to this bug.
Description
•