Closed Bug 796646 Opened 12 years ago Closed 6 years ago

[Image-uploader] Vulnerability analysis issues

Categories

(Firefox OS Graveyard :: Gaia, defect)

Product:
Firefox OS Graveyard
Component:
Gaia
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED WONTFIX

People

(Reporter: ghtobz, Unassigned)

Details

(Whiteboard: [label:system]) 

[GitHub issue by mcjimenez on 2012-09-14T09:41:36Z, https://github.com/mozilla-b2g/gaia/issues/4730]
We have run an automated vulnerability analysis on the Gaia code. 
After manually filtering the results we have found the following possible issues on the image-uploader app:

* /js/ext/oauth.js 

On line 333 of oauth.js the program uses insecure Randomness. Standard pseudo-random number generators cannot withstand cryptographic attacks.

Aditionally we have two separate oauth implementations: this one and the one in the communications app. Wouldn't it be better to join them?

```html

331 var result = "";
332 for (var i = 0; i < length; ++i) {
333 var rnum = Math.floor(Math.random() * chars.length);
334 result += chars.substring(rnum, rnum+1);
335 }

```
Math.random function isn't cryptographically robust. It's very probable that two apps executing in paralell
will get exactly the same chain of pseudorandom values. For this use case, and since the random
values are used to calculate an OAuth nonce, the server could reject the petitions since it would
identify them as a repetition attack.
http://baagoe.org/en/w/index.php/Better_random_numbers_for_javascript.

* /js/image-uploader.js 

The method setStatus() in image-uploader.js sends unvalidated data to a web browser
on line 447, which can result in the browser executing malicious code.

```html
78 if (xhr.responseText.match(url + 'show/')) {
79 var re = new RegExp(url + 'show/(.*).html');
80 var ar = re.exec(xhr.responseText);
81 var pid = ar[1];
82 var up = ar[0];
83 setStatus('Uploaded successfully: ' + pid);
....
445 function setStatus(msg) {
446 showBannerStatus();
447 document.getElementById('uploaded').innerHTML = msg;
448 }

```
The value beging passed is read from a XMLHttpRequest invocation over which we have
no control (mozSystem: true ->It is not even be in the same domain)
[GitHub comment by mcjimenez on 2012-09-15T09:54:36Z]
cc @AntonioMA
Firefox OS is not being worked on
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.