Closed Bug 721398 (CVE-2012-0476) Opened 12 years ago Closed 12 years ago

moz-page-thumb protocol should not be accessible from a web page

Categories

(Firefox :: General, defect)

Product:
Firefox
Component:
General
Version:
12 Branch
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
VERIFIED FIXED
Milestone:
Firefox 12
Tracking Flags:
Tracking Status
firefox11 --- unaffected
firefox12 + verified
firefox-esr10 --- unaffected

People

(Reporter: teramako, Unassigned)

References

Details

(Keywords: privacy, Whiteboard: [sg:moderate][qa+])

Attachments

(2 files)

page owner can know URLs are visited in past using img.onerror
1.39 KB, text/html
Details
patch v1
1.42 KB, patch
mak
: review+
Details | Diff | Splinter Review 
User Agent: Mozilla/5.0 (Windows NT 5.1; rv:12.0a1) Gecko/20120126 Firefox/12.0a1
Build ID: 20120126031113

Steps to reproduce:

moz-page-thumb://thumbnail?url=.... can access from a web page.
It should access only in privileged site for security and privacy reason.

If can access on a web page, evil site owner can know that the user accessed or not the URL in past.
Attachment #591804 - Attachment mime type: text/plain → text/html
Reported publicly in bug 721408, I'm going to open this up. It means we should fix immediately or back out bug 497543.
Group: core-security
Component: Untriaged → Places
Product: Firefox → Toolkit
QA Contact: untriaged → places
Whiteboard: [sg:high]
Assignee: nobody → ttaubert
Blocks: 497543
status-firefox11: --- → unaffected
status-firefox12: --- → affected
tracking-firefox12: --- → +
(In reply to Benjamin Smedberg  [:bsmedberg] from comment #1)
> Reported publicly in bug 721408, I'm going to open this up. It means we
> should fix immediately or back out bug 497543.

Going to push the fix in a minute.
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Attached patch patch v1Splinter Review 

        Attachment #591820 -
        Flags: review?(mak77)

    
    

    
  
Comment on attachment 591820 [details] [diff] [review]
patch v1

Review of attachment 591820 [details] [diff] [review]:
-----------------------------------------------------------------

::: browser/components/thumbnails/Makefile.in
@@ +17,5 @@
>  EXTRA_PP_JS_MODULES = \
>  	PageThumbs.jsm \
>  	$(NULL)
>  
> +#ifdef ENABLE_TESTS

File a bug to fix the tests, add a comment pointing to that bug.

        Attachment #591820 -
        Flags: review?(mak77) → review+
Assignee: ttaubert → nobody
Component: Places → General
Product: Toolkit → Firefox
QA Contact: places → general

    
    

    
  
https://hg.mozilla.org/mozilla-central/rev/7cdb5f5d38c6
Blocks: 721422
Status: ASSIGNED → RESOLVED
Closed: 12 years ago
OS: Windows XP → All
Hardware: x86 → All
Resolution: --- → FIXED
Summary: moz-page-thumb protocol should not access from a web page → moz-page-thumb protocol should not be accessible from a web page
Target Milestone: --- → Firefox 12

    
  
Whiteboard: [sg:high] → [sg:high][qa+]

    
    

    
  
Could you please tell me how to test this ?

    
    

    
  
You can open about:newtab and right-click to inspect the document. Now the .newtab-thumbnail elements have a background-image set. This should look like "moz-page-thumb://thumbnail?url=http%3A%2F%2Fwww.reddit.com%2F".

If you now create a custom web page like data:text/html,<img src="moz-page-thumb://thumbnail?url=http%3A%2F%2Fwww.reddit.com%2F"/> the image should be broken because it's a normal content web page (i.e. without chrome privs).
Alias: CVE-2012-0476

          status-firefox-esr10:
          --- → unaffected
Keywords: privacy
Whiteboard: [sg:high][qa+] → [sg:moderate][qa+]

    
    

    
  
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:12.0) Gecko/20100101 Firefox/12.0
Mozilla/5.0 (Windows NT 6.1; rv:12.0) Gecko/20100101 Firefox/12.0
Mozilla/5.0 (X11; Linux i686; rv:12.0) Gecko/20100101 Firefox/12.0

Verified in Firefox 12 beta 6. The image is now broken when attempting to load it.

          status-firefox12:
          fixedverified

    
    

    
  
Verified in trunk with Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:14.0) Gecko/20120418 Firefox/14.0a1.
Status: RESOLVED → VERIFIED

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: