Closed Bug 10725 Opened 21 years ago Closed 20 years ago

Downloadable XUL allows window spoofing

Categories

(Core :: Security, defect, P3, major)

x86
Windows 95
defect

Tracking

()

VERIFIED FIXED

People

(Reporter: joro, Assigned: norrisboyd)

References

()

Details

Downloadable XUL allows window spoofing

There is a security vulnerability in Mozilla 5.0 M8 which allows window spoofing
by using downloadable XUL.
The problem is modifying the location bar in a downloaded XUL file. The input
control for the location bar is changed and the original one is made hidden.
So when the user enters a URL in the "location bar" it in fact is entered in
another input control which sets the spoofed url in the real location bar and
then BrowserLoadURL() is executed.

In downloaded navigator.xul:
The following was added:
<html:input id="urlbar" type="hidden" />

The following was modified:
<html:input id="urlbar2" type="text" chromeclass="location" style="min-width:
100px; min-height: 25px; height: 20px"
		   onkeyup="if (event.which == 13) {
document.getElementById('urlbar').value = 'http://www.mozilla.org';
BrowserLoadURL(); }"/>;

For more information, examine the source of navigator.xul.
Demonstration is available at:
http://www.nat.bg/~joro/mozilla/chrome.html
From a security standpoint I'm going to distinquish between XUL that's either
shipped with Navigator or installed on the disk by the user, and XUL that's read
from web pages. The "installed XUL" should be able to do what it likes. The
security control will be the same as for native code--the point of control is
getting something onto your disk.

"Web XUL", if there is such a beast, should have no more power than a web page.

With this security policy, do you still consider this a bug?
This security policy will almost sure fix this bug, I agree.
But I continue to think that downloadable chrome is dangerous - check:
http://bugzilla.mozilla.org/show_bug.cgi?id=11457
Status: NEW → ASSIGNED
Target Milestone: M11
Blocks: 12633
Target Milestone: M11 → M13
Status: ASSIGNED → RESOLVED
Closed: 20 years ago
Resolution: --- → FIXED
XPAppCoresManager is finally dead, fixing this security hole.
Verified fixed.
Status: RESOLVED → VERIFIED
Bulk moving all Browser Security bugs to new Security: General component.  The 
previous Security component for Browser will be deleted.
Component: Security → Security: General
You need to log in before you can comment on or make changes to this bug.