PAC's FindProxyForURL is insecure ("Unholy PAC")

RESOLVED DUPLICATE of bug 1255474

Status

()

Core
Networking
RESOLVED DUPLICATE of bug 1255474
2 years ago
2 years ago

People

(Reporter: andy, Unassigned)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

2 years ago
User Agent: Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:47.0) Gecko/20100101 Firefox/47.0
Build ID: 20160623084759

Steps to reproduce:

See: https://www.blackhat.com/us-16/briefings.html#crippling-https-with-unholy-pac

I don't know full details, and I haven't tested it, but presumably what's going on is that FindProxyForURL isn't locked down enough.  I'm guessing there are two classes of vulnerabilities here:

1. FindProxyForURL is passed full URLs even if they use HTTPS.  This directly leaks any sensitive information in the URL to the local network in cleartext.

2. FindProxyForURL is executed in an insufficiently sandboxed context.  From the advisory, it sounds like state is shared between FindProxyForURL invocations, allowing malicious PAC scripts to inject code into one tab based on the URL or (for HTTP) contents of another tab.

I'm not marking this as a "security" bug because it's already public.

If this is already being tracked internally, feel free to close it.

Updated

2 years ago
Component: Untriaged → Networking
Product: Firefox → Core
This is a dupe of Bug 1255474, tracked with the security bit enabled still.
Status: UNCONFIRMED → RESOLVED
Last Resolved: 2 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 1255474
You need to log in before you can comment on or make changes to this bug.