User Agent: Mozilla/5.0 (Windows NT 6.2; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2376.0 Safari/537.36 Steps to reproduce: The caption box for screen reader doesn't escape HTML tags contained in an input string (below). https://github.com/mozilla-b2g/gaia/blob/master/apps/system/js/accessibility.js#L596 It can be a cause of arbitrary application execution vulnerability. The detailed attack scenario on Firefox OS 3.0 is below. 1. Open following URL by Browser app https://www.google.co.jp/search?q=%3Ciframe%20mozbrowser%20remote%20mozapp=%22app://fm.gaiamobile.org/manifest.webapp%22%20src=%22app://fm.gaiamobile.org/index.html%22%3E 2. Activate "Screen Reader" function from accessibility menu in setting app and enable "Display speech" option 3. Open Browser app again and focus a cursor to the window opened in 1 Actual results: FM radio app is executed on the caption box dialog like the attached picture. Expected results: HTML tags in the input string should be displayed as a plain text on the caption box.
Eitan, can you direct this to the right product/component + person etc.? :-)
Looks like we should be using textContent, and not innerHTML.
I could write a pull request for that. Should I just do a public one and attach it to this bug?
I don't know what the protocol is for having this land. I didn't open a new GH pull request, because this is a confidential bug.
Rating this sec-high like bug 1101158, but I'm not sure what permissions the screen reader app has compared to the system app so it could be lower. Paul? dammit guys, enough of the innerHTML already. That should be part of day 1 training for every new dev.
(In reply to Daniel Veditz [:dveditz] from comment #5) > Rating this sec-high like bug 1101158, but I'm not sure what permissions the > screen reader app has compared to the system app so it could be lower. Paul? > > dammit guys, enough of the innerHTML already. That should be part of day 1 > training for every new dev. I just checked and this landed in 2.2 so it needs to block. There's a simple patch, it fixes a sec-high bug, so hopefully this is fine to land.
blocking-b2g: --- → 2.2?
(PS 2.2. hasn't shipped yet, so this probably doesn't need to stay hidden, so long as the fix makes it in).
Blocking as sec-high bug
blocking-b2g: 2.2? → 2.2+
Comment on attachment 8596025 [details] [diff] [review] Use textContent instead of innerHTML in screen reader speech caption. Review of attachment 8596025 [details] [diff] [review]: ----------------------------------------------------------------- r=me, thanks
Attachment #8596025 - Flags: review?(alive) → review+
Same bug in https://github.com/mozilla-b2g/gaia/blob/f34ce82a840ad3c0aed3bfff18517b3f6a0eb37f/tv_apps/smart-system/js/accessibility.js#L503 btw. Can you take a look, Eitan?
Is "tv_apps" an active project (and in scope of your bounty program)? I'm not sure it is really exploitable since I don't have execution environment of tv_apps but following code may have same defect. https://github.com/mozilla-b2g/gaia/blob/master/tv_apps/smart-system/js/modal_dialog.js#L379
I think the released products that use the tv_apps are using older branches. Let's find out…
Status: NEW → RESOLVED
Last Resolved: 4 years ago
Resolution: --- → FIXED
Comment on attachment 8596025 [details] [diff] [review] Use textContent instead of innerHTML in screen reader speech caption. [Approval Request Comment] [Bug caused by] (feature/regressing bug #): [User impact] if declined: Remotely exploit: Arbitrary HTML can be run in the system app. [Testing completed]: Yes, manual. [Risk to taking this patch] (and alternatives if risky): Low [String changes made]: None
Attachment #8596025 - Flags: approval-gaia-v2.2?
Attachment #8596025 - Flags: approval-gaia-v2.2? → approval-gaia-v2.2+
Eitan, can you take a look at https://github.com/mozilla-b2g/gaia/blob/f34ce82a840ad3c0aed3bfff18517b3f6a0eb37f/tv_apps/smart-system/js/accessibility.js#L503 too?
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
https://github.com/mozilla-b2g/gaia/commit/0636405f0844bf32451a375b2d61a2b16fe33348 Carried over alive's review. Nominate that for whatever other branch this needs to land on for TV.
Status: REOPENED → RESOLVED
Last Resolved: 4 years ago → 4 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.