12124 - [DOGFOOD] Reading user's preferences

Status: VERIFIED FIXED

(Core :: Security, defect, P3)

Description

[joro]

There is a security vulnerability in Mozilla M8 (later versions are also
affected)
which allows web pages to execute .js files on the local machine.
If the preferences file is executed and the "user_pref" function is defined, a
sensitive information may be stolen.

The code in a .xul file is:
<html:script>
   <![CDATA[
   function user_pref(a,b) {
     dump(a+"="+b+"\n");
   }
   ]]>
  </html:script>
<html:script src="file://c:/Users50/mozProfile/prefs50.js">
</html:script>

Demonstration is available at: http://www.nat.bg/~joro/mozilla/filesrc.xul

Comment 1

[Norris Boyd]

<script src="file:..."> should be disabled from non-file pages, as was done in
4.x.

Comment 2

[Norris Boyd]

Move security bugs from M11 to M13; needed for beta but not for dogfood.

Comment 3

[Norris Boyd]

Marking dogfood for analysis by PDT at jar's request.

Comment 4

[leger]

Can you give us an example of cost to fix.  Our alternative id to disable
password saving in the prefs.  Need this for beta, but need more info for
dogfood.  We will review on Monday night again.  Thanks!

Comment 5

[leger]

Putting on PDT+ radar.

Comment 6

[dshea]

Windows NT 1999112908 Com
Test 1: Do same origin script src's work?
Yes
Test 2: Do local origin script src's work?
Yes
Test 3: Do remote origin / local file script src's work?
No
However, there is no error reported that a local file script scr was attempted?
Should there be?

Comment 7

[dshea]

I'll open a seperate bug regarding having Security Error conditions for illegal
<script src="file:..."> attempts, which will be non-PDT.

Comment 8

[leger]

Bulk moving all Browser Security bugs to new Security: General component.  The 
previous Security component for Browser will be deleted.