Closed Bug 12310 Opened 25 years ago Closed 25 years ago

Injection of text in documents in the "file:" protocol

Categories

(Core :: Security, defect, P3)

Product:
Core
Component:
Security
Platform:
x86
Windows 95
Type:
defect

Tracking

()

Status:
VERIFIED FIXED

People

(Reporter: joro, Assigned: norrisboyd)

References

(
URL
)

Details

(Whiteboard: help wanted: someone from Necko?) 

There is a security vulnerability in Mozilla M8 (later versions are also
affected)
which allows incjecting text in documents in the "file:" protocol.
The problem are links like "file://c:/INJECTED TEXT/.."
I cannot make a working security exploit - the problem is I cannot inject "<"
and ">".
But that issue may turn dangerous and I think this is worth fixing.

Demonstration is available at: http://www.nat.bg/~joro/mozilla/injectchar.html
I found a way to inject javascript code in documents in "file:" protocol.
Demonstration is available at the original URL.
Target Milestone: M11
Blocks: 12633
Status: NEW → ASSIGNED
Whiteboard: help wanted: someone from Necko?
This exploit doesn't work for me now. I get

0[10029c0]: Assertion: "unexpected canonical path" (mPath[1] == ':') at file d:\
seamonkey\mozilla\xpcom\io\nsFileSpec.cpp, line 656

Perhaps the parsing code has become stricter?
Target Milestone: M11 → M13
Move security bugs from M11 to M13; needed for beta but not for dogfood.
Status: ASSIGNED → RESOLVED
Closed: 25 years ago
Resolution: --- → FIXED
>>Norris, This does not work for me anymore, even with some modifications. I
>>consider it fixed. Regards, Georgi
Verified fixed.
Status: RESOLVED → VERIFIED
Bulk moving all Browser Security bugs to new Security: General component.  The 
previous Security component for Browser will be deleted.
Component: Security → Security: General
You need to log in before you can comment on or make changes to this bug.