URL and error message spoofing in about:neterror
Categories
(Core :: DOM: Core & HTML, defect, P5)
Tracking
()
People
(Reporter: jupenur, Unassigned)
References
(Blocks 2 open bugs)
Details
(Keywords: csectype-spoof, reporter-external, sec-low)
Attachments
(1 file)
79.96 KB,
image/png
|
Details |
Reporter | ||
Comment 1•10 years ago
|
||
Reporter | ||
Comment 2•10 years ago
|
||
Comment 3•10 years ago
|
||
Comment 4•10 years ago
|
||
Reporter | ||
Comment 5•10 years ago
|
||
Updated•10 years ago
|
Updated•10 years ago
|
Comment 6•10 years ago
|
||
Updated•8 years ago
|
Updated•7 years ago
|
Assignee | ||
Updated•6 years ago
|
Updated•3 years ago
|
Updated•1 years ago
|
Comment 8•1 year ago
•
|
||
I've checked that the link cannot be loaded when clicked, nor can we navigate to it via location.href.
Comment 9•1 year ago
|
||
The problem still exists. The mitigations on accessing the link are why this bug was rated sec-low instead of sec-moderate (or sec-high if scripting were possible). Those mitigations make it hard to get to the error page, but if other minor security bugs were found that let an attacker get around the mitigations, the param-passing design of about:neterror is dangerous. For example, one of our error-throwing features might forget to escape things or incorporate too much of the user's input into the error message.
The URL in comment 2 doesn't show the problem any more since we've split about:neterror and about:certerror. Here's an equivalent with a different error code:
about:neterror?e=dnsNotFound&u=https%3A%2F%2Fevil.com&d=%F0%9F%90%9E%20The%20website%20you%20tried%20to%20access,%20https:%2F%2Fwww.bankofamerica.com%2F,%20appears%20to%20have%20been%20compromised.%20Please%20contact%20evil.guy@igi.tl%20for%20support.
The primary offender is nsDocShell::DisplayLoadError()
. Even if it's safely creating formatted strings, the fact that it's formatting them outside of the neterror page itself means neterror has to accept and display arbitrary string arguments. If it passed the errorDescriptionID
as an about:neterror param and let about:neterror do the intl lookup and formatting instead then this particular injection wouldn't be possible. There may be others in this code, in other arguments—this is just the low-hanging fruit example.
Updated•1 year ago
|
Updated•1 year ago
|
Description
•