Closed
Bug 796646
Opened 12 years ago
Closed 6 years ago
[Image-uploader] Vulnerability analysis issues
Categories
(Firefox OS Graveyard :: Gaia, defect)
Firefox OS Graveyard
Gaia
Tracking
(Not tracked)
RESOLVED
WONTFIX
People
(Reporter: ghtobz, Unassigned)
Details
(Whiteboard: [label:system])
[GitHub issue by mcjimenez on 2012-09-14T09:41:36Z, https://github.com/mozilla-b2g/gaia/issues/4730] We have run an automated vulnerability analysis on the Gaia code. After manually filtering the results we have found the following possible issues on the image-uploader app: * /js/ext/oauth.js On line 333 of oauth.js the program uses insecure Randomness. Standard pseudo-random number generators cannot withstand cryptographic attacks. Aditionally we have two separate oauth implementations: this one and the one in the communications app. Wouldn't it be better to join them? ```html 331 var result = ""; 332 for (var i = 0; i < length; ++i) { 333 var rnum = Math.floor(Math.random() * chars.length); 334 result += chars.substring(rnum, rnum+1); 335 } ``` Math.random function isn't cryptographically robust. It's very probable that two apps executing in paralell will get exactly the same chain of pseudorandom values. For this use case, and since the random values are used to calculate an OAuth nonce, the server could reject the petitions since it would identify them as a repetition attack. http://baagoe.org/en/w/index.php/Better_random_numbers_for_javascript. * /js/image-uploader.js The method setStatus() in image-uploader.js sends unvalidated data to a web browser on line 447, which can result in the browser executing malicious code. ```html 78 if (xhr.responseText.match(url + 'show/')) { 79 var re = new RegExp(url + 'show/(.*).html'); 80 var ar = re.exec(xhr.responseText); 81 var pid = ar[1]; 82 var up = ar[0]; 83 setStatus('Uploaded successfully: ' + pid); .... 445 function setStatus(msg) { 446 showBannerStatus(); 447 document.getElementById('uploaded').innerHTML = msg; 448 } ``` The value beging passed is read from a XMLHttpRequest invocation over which we have no control (mozSystem: true ->It is not even be in the same domain)
[GitHub comment by mcjimenez on 2012-09-15T09:54:36Z] cc @AntonioMA
Comment 2•6 years ago
|
||
Firefox OS is not being worked on
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → WONTFIX
You need to log in
before you can comment on or make changes to this bug.
Description
•