Closed Bug 12124 Opened 21 years ago Closed 21 years ago

[DOGFOOD] Reading user's preferences

Categories

(Core :: Security, defect, P3)

x86
Windows 95
defect

Tracking

()

VERIFIED FIXED

People

(Reporter: joro, Assigned: norrisboyd)

References

()

Details

(Whiteboard: [PDT+] To be fixed by 11/19)

There is a security vulnerability in Mozilla M8 (later versions are also
affected)
which allows web pages to execute .js files on the local machine.
If the preferences file is executed and the "user_pref" function is defined, a
sensitive information may be stolen.

The code in a .xul file is:
<html:script>
   <![CDATA[
   function user_pref(a,b) {
     dump(a+"="+b+"\n");
   }
   ]]>
  </html:script>
<html:script src="file://c:/Users50/mozProfile/prefs50.js">
</html:script>

Demonstration is available at: http://www.nat.bg/~joro/mozilla/filesrc.xul
Status: NEW → ASSIGNED
Target Milestone: M11
Blocks: 12633
<script src="file:..."> should be disabled from non-file pages, as was done in
4.x.
Move security bugs from M11 to M13; needed for beta but not for dogfood.
Summary: Reading user's preferences → [DOGFOOD] Reading user's preferences
Marking dogfood for analysis by PDT at jar's request.
Can you give us an example of cost to fix.  Our alternative id to disable
password saving in the prefs.  Need this for beta, but need more info for
dogfood.  We will review on Monday night again.  Thanks!
Whiteboard: [PDT+]
Putting on PDT+ radar.
Whiteboard: [PDT+] → [PDT+] To be fixed by 11/19
Status: ASSIGNED → RESOLVED
Closed: 21 years ago
Resolution: --- → FIXED
Blocks: 18951
Windows NT 1999112908 Com
Test 1: Do same origin script src's work?
Yes
Test 2: Do local origin script src's work?
Yes
Test 3: Do remote origin / local file script src's work?
No
However, there is no error reported that a local file script scr was attempted?
Should there be?
Status: RESOLVED → VERIFIED
I'll open a seperate bug regarding having Security Error conditions for illegal
<script src="file:..."> attempts, which will be non-PDT.
Bulk moving all Browser Security bugs to new Security: General component.  The 
previous Security component for Browser will be deleted.
Component: Security → Security: General
No longer blocks: 18951
You need to log in before you can comment on or make changes to this bug.