Closed Bug 48697 Opened 24 years ago Closed 24 years ago

Bookmarked URLs can execute JS code with XPConnect calls

Categories

(Core :: Security: CAPS, defect, P3)

Product:
Core
Component:
Security: CAPS
Type:
defect

Tracking

()

Status:
VERIFIED INVALID

People

(Reporter: law, Assigned: security-bugs)

References

(
URL
)

Details

It seems as if javascript: bookmark URLs are evaluated in a context that permits
access to XPConnect.

This seems like it might be a security hole, especially since I just fixed bug
17524 which means that we now permit users to bookmark links (without actually
visiting the page).  The exploit I'm envisioning would be something like a web
page that says "Bookmark this link to right now!" and the link contains
malicious javascript/XPConnect code.

I've set the URL in this bug to one that would demonstrate the problem (I
think), if you were to right-click on this link and bookmark it.  Unfortunately,
you can't do that right this minute because I just checked in the fix for bug
17524 so it won't work till Monday's build.

If you refresh navigator.xul and nsContextMenu.js, it should work.

Alternatively, you can test this hole by simply doing "Manage Bookmarks" and
change a bookmark URL to be this, or something similar.
I can get access to Components from any kind of script, either content Javascript 
or a JS URL. However, I can't access Components.classes. I think access to 
Components might be allowed to all, because it is harmless...but I could be 
wrong. 

Jband, is this an indication of dangerous behavior, or is this expected? 

Bill, can you generate a dangerous exploit?

No, not without trying harder, I guess.  Sorry for the false alarm.  I figured
that xpconnect would be blocked by blocking access to the Components object in
its entirety.

Resolving as INVALID.
Status: NEW → RESOLVED
Closed: 24 years ago
Resolution: --- → INVALID
Verified per law's comments.
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.