Closed
Bug 1028554
Opened 11 years ago
Closed 7 years ago
CalDAV UIDs are not properly sanitized
Categories
(Firefox OS Graveyard :: Gaia::Calendar, defect)
Firefox OS Graveyard
Gaia::Calendar
Tracking
(Not tracked)
RESOLVED
INCOMPLETE
People
(Reporter: nicolas.golubovic+bugzilla, Unassigned)
References
Details
(Keywords: csectype-dos, csectype-spoof, sec-moderate)
Attachments
(1 file)
|
6.82 KB,
text/plain
|
Details |
When synchronizing events with a malicious CalDAV server, this server may use specially crafted UIDs to crash or break the calendar when the user clicks on the events. This is due to improper sanitization in an URL context. I've found two instances of vulnerable code:
js/views/day.js line 29 [1]:
Calendar.App.router.show('/event/show/' + target.dataset.id + '/');
js/views/months_day.js line 61 [2]:
Calendar.App.router.show('/event/show/' + target.dataset.id + '/');
As can be seen from the code above, target.dataset.id is put into the router without any sanitization of chars which have a special meaning in URLs, like /, ., # and ?.
An attacker may use this to perform one or all of the following attacks:
- Use /? to force an empty event description page. This throws all kinds of JavaScript errors and does not allow the user to delete the event.
- Use something like ../../something/# to crash the app due to a 404 error (the router will redirect to the URL if it does not find a match).
As the UID is prefixed with a static string ('/event/show/' and some other stuff that's part of dataset.id), there is no immediate danger of a XSS attack with "javascript:alert(1)". Furthermore, the router makes it hard to create fake links to views of the app because it only accepts exact matches (without path normalization).
I've attached a simple Python 3 implementation of a malicious CalDAV server. It listens to port 5000 on the local host and accepts every username/password combination. It will inject the malicious events to June the 19th.
[1] https://github.com/mozilla-b2g/gaia/blob/master/apps/calendar/js/views/day.js#L29
[2] https://github.com/mozilla-b2g/gaia/blob/master/apps/calendar/js/views/months_day.js#L61
|
||
Comment 1•11 years ago
|
||
Given the limited bad results seen so far I'll call this sec-moderate, but in general operating on unsanitized inputs could be sec-high or worse.
Keywords: sec-moderate
|
||
Comment 2•11 years ago
|
||
I agree about sec-moderate. The harmful data comes the CalDav server, a more or less trusted entity. AFAIU these fields can't be controlled by a potentially malicious user you share a calendar with.
Keywords: csectype-dos,
csectype-spoof
|
||
Comment 4•11 years ago
|
||
Transferring ni? to :gaye for prioritization.
Flags: needinfo?(doliver) → needinfo?(gaye)
|
||
Updated•10 years ago
|
Group: core-security → b2g-core-security
|
||
Comment 5•7 years ago
|
||
FirefoxOS is no longer under active development.
Status: NEW → RESOLVED
Closed: 7 years ago
Flags: needinfo?(gaye)
Resolution: --- → INCOMPLETE
|
|
||
Updated•7 years ago
|
Group: b2g-core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•