Closed Bug 626775 (CVE-2013-0794) Opened 14 years ago Closed 11 years ago

Tab modal dialog spoofing (DOMWillOpenModalDialog + navigation)

Categories

(Toolkit :: General, defect)

Product:
Toolkit
Component:
General
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla21
Tracking Flags:
Tracking Status
firefox19 + wontfix
firefox20 + fixed
firefox21 + fixed
firefox-esr10 --- wontfix
firefox-esr17 19+ wontfix
b2g18 19+ wontfix

People

(Reporter: sync2d, Assigned: fryn)

References

Details

(Keywords: csectype-spoof, sec-moderate, Whiteboard: [sg:moderate][fixed-in-bug-611553][adv-main20+])

Attachments

(2 files)

testcase
836 bytes, text/html
Details
testcase that simply breaks the tab altogether
95 bytes, text/html
Details
Attached file testcase 
bug 625187 without iframes.
Even in 3.6.x the timing here is pretty spooftastic -- the dialog title says the name of the other site but it overlays the Google content that's built behind it.

We could do all kinds of things differently (if not easily)
 - don't layout a new page while a modal dialog is open
 - auto-cancel the modal dialog on navigation
 - leave the dialog open, but break the connection to the
   calling page and just give them a "cancel" response.
Assignee: nobody → dolske
A check for something like |callingWindow.top == windowForPrompt.top| would probably be good to have (and just throw if that's the case, because we never want that to happen anyway).
Summary: tab modal dialog spoofing without iframes → Tab modal dialog spoofing (DOMWillOpenModalDialog + navigation)
Whiteboard: [sg:moderate]
Assignee: dolske → fryn
Hmm, I wonder if this and bug 383382 are the same thing.
While investigating this bug, I discovered that the prompter code can be completely broken with the following.

addEventListener('DOMWillOpenModalDialog', function() confirm(0));
alert(0);

Once this runs, if a user tries to navigate the tab to another address, it won't be displayed to the user and only the blank confirm dialog will be visible.

The check that Dolske suggests might be sufficient for the security part, but would completely disallowing prompts inside DOMWillOpenModalDialog handlers make sense?
DOMWillOpenModalDialog shouldn't be visible to content scripts at all - we just need to fix that, AFAICT.
(In reply to Gavin Sharp (use gavin@gavinsharp.com for email) from comment #5)
> DOMWillOpenModalDialog shouldn't be visible to content scripts at all - we
> just need to fix that, AFAICT.

Okay, fixing bug 611553 should do it then.
I just attached a patch to that bug.
Status: NEW → ASSIGNED
I just fixed this by making DOMWillOpenModalDialog chrome-only in bug 611553.
Status: ASSIGNED → RESOLVED
Closed: 11 years ago
OS: Windows Vista → All
Hardware: x86 → All
Resolution: --- → FIXED
Whiteboard: [sg:moderate] → [sg:moderate][fixed-in-bug-611553]
Target Milestone: --- → mozilla21
We should land this on the branches... does b2g use this code? we maybe want to fix it there as well.
status-firefox-esr10: --- → wontfix
status-firefox19: --- → affected
status-firefox20: --- → affected
status-firefox21: --- → affected
status-firefox-esr17: --- → affected
tracking-b2g18: --- → ?
tracking-firefox19: --- → +
tracking-firefox20: --- → +
tracking-firefox21: --- → +
tracking-firefox-esr17: --- → 19+
Depends on: 611553
the fix in bug 611553 builds on bug 830858, and that changes the nsIDOMWindowUtils API -- pretty internal-ish but still might be used by add-ons so I'm not sure we could actually take this on stable branches. At least not without creating nsIDOMWindowUtils2 or something.
Depends on: 830858
This affects the b2g browser as well.
status-b2g18: --- → affected
tracking-b2g18: ?19+
(In reply to Daniel Veditz [:dveditz] from comment #10)
> This affects the b2g browser as well.

If they forked Firefox desktop or Fennec (XUL and Java), then they may need to patch their code, since the DOMWillOpenModalDialog event is also dispatched from the front end for those code bases.
I can take a look.
Where does their front-end b2g browser code live?
Frank - can you prepare patches for Aurora 20? Given the fact that bug 830858 changes interfaces and this is sec-moderate, we've decided to wontfix for FF19, B2G18 and ESR17.
status-b2g18: affectedwontfix
status-firefox19: affectedwontfix
status-firefox-esr17: affectedwontfix
(In reply to Alex Keybl [:akeybl] from comment #13)
> Frank - can you prepare patches for Aurora 20? Given the fact that bug
> 830858 changes interfaces and this is sec-moderate, we've decided to wontfix
> for FF19, B2G18 and ESR17.

Sure. Given that the patches that fixed this bug are in two public bugs, should I simply use the same commit messages? If so, should I simply flag the patches in those bugs for aurora 20 approval? If not, do you want me to upload a copy of those patches combined into one to this bug with a different commit message?
status-firefox21: affectedfixed
Yeah let's nominate the two separate bugs, and just put in a private comment reminding us of the security implications. Thanks!
Keywords: csec-spoof
Whiteboard: [sg:moderate][fixed-in-bug-611553] → [sg:moderate][fixed-in-bug-611553][adv-main20+]
Alias: CVE-2013-0794
Summary: Tab modal dialog spoofing (DOMWillOpenModalDialog + navigation) → Tab modal dialog spoofing
Summary: Tab modal dialog spoofing → Tab modal dialog spoofing (DOMWillOpenModalDialog + navigation)
Group: core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: