Closed
Bug 1290714
Opened 8 years ago
Closed 6 years ago
Localhost navigation bypass and address bar spoofing bugs in reader-mode
Categories
(Firefox for iOS :: Reader View, defect, P3)
Tracking
()
RESOLVED
WORKSFORME
Tracking | Status | |
---|---|---|
fxios | 10.0 | --- |
People
(Reporter: sdna.muneaki.nishimura, Unassigned)
References
Details
(Keywords: sec-moderate)
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.82 Safari/537.36 Steps to reproduce: 1. Open http://mallory.csrf.jp/ios/spoofing5.html. 2. Tap the 2nd link in the page by any browser on your iOS device. Actual results: Reader-mode screen is show in Firefox for iOS and address bar shows https://foobarbaz.slack.com@slack-redir.com/link?url=https://threatpost.com... This behavior has following three security problems. 1. Reader-mode hosted on http://localhost:6571 can be opened though it has been blocked due to Bug 1281204. 2. URL in address bar shows authinfo part in front of host name (e.g., foobarbaz.slack.com@) though it is prohibited due to Bug 1224906 3. URL in address bar shows 30x redirector URL but not the final URL that provides web contents to WKWebView Expected results: 1. Localhost navigation should be blocked even through firefox: URL 2. Address bar should not show the authinfo part of URL 3. Address bar should show the final URL but not the 30x redirector URL
Updated•8 years ago
|
Flags: sec-bounty?
Comment 1•8 years ago
|
||
This sounds like multiple bugs to be addressed. For security purposes, none of them successfully spoof the address bar in a way that will attack a victim's web site, hence the rating.
Keywords: sec-low
Reporter | ||
Comment 2•8 years ago
|
||
There are 3 bugs in this ticket so please devide it into some other tickets if needed. One of the bug is localhost access bypass with firefox: scheme. I think it would be more higher severity because it allows any applications to access chrome: features on Firefox that is hosted on http://localhost:6571. For example, error screen on Firefox still has an open redirect bug but it cannot be exploited due to localhost access blocking. However if you use this bug you can exploit it from other applications e.g., Safari like below. firefox://?url=http://localhost:6571/errors/error.html?url=http://a.csrf.jp/
Comment 3•8 years ago
|
||
(In reply to Muneaki Nishimura from comment #2) > There are 3 bugs in this ticket so please devide it into some other tickets > if needed. We would ask you to log each of these bugs independently (so as to keep each bug to a single issue) if they are not from the same root issue.
Reporter | ||
Comment 4•8 years ago
|
||
Hi, I divided it into following 3 tickets. Bug 1293066 : firefox: URL scheme bypasses localhost navigation blocking Bug 1293068 : Address bar spoofing with authinfo in front of URL in reader-view Bug 1293070 : Address bar spoofing with 30x redirect in reader-view
Comment 5•8 years ago
|
||
It looks like none of the 3 issues remained here in this bug so I'm closing it in favor of the others. arbitrarily picking the first one to dupe this to.
Status: NEW → RESOLVED
Closed: 8 years ago
Flags: sec-bounty? → sec-bounty-
Resolution: --- → DUPLICATE
Updated•8 years ago
|
Status: RESOLVED → REOPENED
Flags: sec-bounty- → sec-bounty+
Keywords: sec-low → sec-moderate
Resolution: DUPLICATE → ---
Updated•8 years ago
|
Updated•8 years ago
|
tracking-fxios:
--- → ?
Comment 7•8 years ago
|
||
Seems like a good idea to me. I'll flag the three individual bugs mentioned in comment 4 since this one is more of a meta bug describing the combined attack.
Flags: needinfo?(bnicholson)
Updated•7 years ago
|
Priority: -- → P3
Comment 8•6 years ago
|
||
We have since re-implemented much of our deep-linking code and this bug is no longer reproducible.
Status: REOPENED → RESOLVED
Closed: 8 years ago → 6 years ago
Resolution: --- → WORKSFORME
Updated•5 years ago
|
Group: firefox-core-security → mobile-core-security
Updated•4 years ago
|
Group: mobile-core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•