Closed
Bug 549459
Opened 14 years ago
Closed 14 years ago
Permission denied exception string way too descriptive
Categories
(Core :: DOM: Core & HTML, defect, P1)
Tracking
()
RESOLVED
FIXED
mozilla2.0b9
People
(Reporter: attila.m.magyar, Assigned: bzbarsky)
References
()
Details
(Keywords: privacy, verified1.9.1, verified1.9.2, Whiteboard: [sg:low privacy])
Attachments
(2 files)
2.94 KB,
text/html
|
Details | |
1.47 KB,
patch
|
mrbkap
:
review+
christian
:
approval1.9.2.14+
christian
:
approval1.9.1.17+
|
Details | Diff | Splinter Review |
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.8) Gecko/20100215 Ubuntu/9.04 (jaunty) Shiretoko/3.5.8 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6 Exception string: "Permission denied for <http://mysite.com> to call method Location.toString on <http://example.com>." The second domain name should not be part the exception text as it may leak information for a possible attacker. When a script is not permitted to read the location property of a window object, the exception should not leak partial information from that property. Reproducible: Always Steps to Reproduce: 1. Open a new window: var wnd = window.open(); 2. Use setInterval() to frequently read wnd.location.href. If any exception occurs, catch it, convert it to string, and extract domain names from it. Actual Results: The above described method allows a site to keep track of which (external) domains does the user visit in newly opened windows or tabs. Combining this with some social engineering (e.g. make the user allow popup windows) and catching keyboard events (e.g. CTRL+T) can lead to unwanted spying on visitors of a website. Expected Results: The "Permission denied" exception should not contain information about the external URL. The proof of concept demo has been tested with FF 3.5.8 on Ubuntu 9.04 and with FF 3.6 on Windows XP (SP2).
Comment 1•14 years ago
|
||
Interesting. This brings back memories of bug 363897. I wonder if we can set up some sort of secret handshake between caps and the error console without leaking the two origins in the message of the actual exception object (since that's the reason that we have the origins in there in the first place).
Status: UNCONFIRMED → NEW
Ever confirmed: true
Updated•14 years ago
|
Whiteboard: [sg:low privacy]
Comment 2•14 years ago
|
||
Assignee | ||
Comment 3•14 years ago
|
||
We could stick the "real" error text into a property that untrusted script can't get and revert the default error text to what it used to be before I tried to make jjbarton's life easier... Or we could just revert that fix, period. Probably much simpler.
blocking1.9.1: --- → ?
blocking1.9.2: --- → ?
blocking2.0: --- → ?
status1.9.1:
--- → ?
status1.9.2:
--- → ?
Updated•14 years ago
|
Comment 6•14 years ago
|
||
Used in combination with the trick in bug 469939, this is not just a privacy bug. It can also be used to target phising attacks at users.
Comment 7•14 years ago
|
||
I think we should attempt to fix this for 1.9.3.
Assignee: nobody → mrbkap
blocking2.0: ? → final+
Reporter | ||
Comment 8•14 years ago
|
||
FYI there is public information on this kind of attack out there, today I found this article in my Google Reader: http://pet-portal.eu/?page=blog&topic=pet&view=2010_06_14_Rovid_hir_egy_erdekessegrol_az_XSUH (hungarian) which is written about the following paper: http://soroush.secproject.com/downloadable/XSUH_FF_1.pdf - this contains a similar method to steal whole URLs or just the domain part when it's not possible. Btw. am I allowed to publish detailed information about this bug on my (rarely updated and even more rarely visited) blog in the near future?
Comment 10•14 years ago
|
||
Given the XSUH paper I don't see why you couldn't blog about this. Maybe we should unhide the bug to avoid future duplicates.
Updated•14 years ago
|
Assignee: mrbkap → bzbarsky
Assignee | ||
Comment 12•14 years ago
|
||
OK. I'm going to fix this by effectively disabling the fixes for bug 434522 and bug 495176 until such a time as we can report different information to the UI and to the web page.
Assignee | ||
Comment 13•14 years ago
|
||
Though it looks like with the proxies+wrappers we basically never get into this code anyway... so those bugs were already backed out for the most part (yay lack of regression testing).
Assignee | ||
Comment 14•14 years ago
|
||
Attachment #499420 -
Flags: review?(mrbkap)
Assignee | ||
Updated•14 years ago
|
Priority: -- → P1
Whiteboard: [sg:low privacy] → [need review][sg:low privacy]
Updated•14 years ago
|
Attachment #499420 -
Flags: review?(mrbkap) → review+
Assignee | ||
Comment 15•14 years ago
|
||
Pushed http://hg.mozilla.org/mozilla-central/rev/7dbd04a58fa0
Status: NEW → RESOLVED
Closed: 14 years ago
Flags: in-testsuite?
Resolution: --- → FIXED
Whiteboard: [need review][sg:low privacy] → [sg:low privacy]
Assignee | ||
Comment 16•14 years ago
|
||
Comment on attachment 499420 [details] [diff] [review] Don't show information about the object principal in the error string. This applies as-is to both branches.
Attachment #499420 -
Flags: approval1.9.2.14?
Attachment #499420 -
Flags: approval1.9.1.17?
Assignee | ||
Updated•14 years ago
|
Target Milestone: --- → mozilla2.0b9
Comment 17•14 years ago
|
||
Comment on attachment 499420 [details] [diff] [review] Don't show information about the object principal in the error string. a=LegNeato for 1.9.2.14 and 1.9.1.17
Attachment #499420 -
Flags: approval1.9.2.14?
Attachment #499420 -
Flags: approval1.9.2.14+
Attachment #499420 -
Flags: approval1.9.1.17?
Attachment #499420 -
Flags: approval1.9.1.17+
Assignee | ||
Comment 18•14 years ago
|
||
Pushed: http://hg.mozilla.org/releases/mozilla-1.9.2/rev/4de0968e31a1 http://hg.mozilla.org/releases/mozilla-1.9.1/rev/cb4fb4d7e086
Comment 19•14 years ago
|
||
This caused permanent orange in mochitest on all platforms on 1.9.2: 107291 ERROR TEST-UNEXPECTED-FAIL | /tests/modules/plugin/test/test_pluginstream_newstream.html | exception Permission denied for <http://localhost:8888> to get property HTMLDocument.body thrown
Assignee | ||
Comment 20•14 years ago
|
||
Yeah, that test is bogus.... I pushed http://hg.mozilla.org/releases/mozilla-1.9.2/rev/6697a04d3f87 to fix the bogosity (which is just an exact copy of the changeset that fixed said bogosity on trunk back when compartments landed).
Assignee | ||
Comment 21•14 years ago
|
||
And then http://hg.mozilla.org/releases/mozilla-1.9.2/rev/7f6049187692 because the message format from the security manager isn't the same as what the security wrappers produce. Why the wrappers decided to use different strings, I have no idea. :(
Comment 22•14 years ago
|
||
Verified fixed in 1.9.2 using attached testcase with Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.14pre) Gecko/20110103 Namoroka/3.6.14pre. Verified bad behavior in 1.9.2.13. Verified for 1.9.1 with Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.1.17pre) Gecko/20110106 Shiretoko/3.5.17pre and verified bad behavior in 1.9.1.16.
Keywords: verified1.9.1,
verified1.9.2
Updated•13 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•