1339330 - about:neterror shouldn't use URL params for messages (error spoofing)

Status: RESOLVED DUPLICATE of bug 1196267

(Firefox :: General, defect)

Description

[:Wester]

Attachment: poc.png

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36

Steps to reproduce:

1.visit following link:

about:neterror?e=deniedPortAccess&u=https://google.com/&d=fake%20firefox!!

about:neterror?e=malformedURI&u=about:&c=&f=regular&d=fake%20firefox!!!!

2.you will find net error page has been changed,fake success!

3.firefox version:51.0.1 macOS version:10.12.3


Actual results:

net error page faked!


Expected results:

show default page,my data should not be displayed on the page.

Comment 1

[:Gijs (he/him)]

Web pages can't link to these addresses. You can manually type them into the address bar, but that doesn't really help if you're trying to spoof.

(In reply to Zhiyang Zeng from comment #0)
> 1.visit following link:
> 
> about:neterror?e=deniedPortAccess&u=https://google.com/&d=fake%20firefox!!
> 
> about:neterror?e=malformedURI&u=about:&c=&f=regular&d=fake%20firefox!!!!

How? They aren't links. If you put them on an http: page with an explicit <a href...>, clicking them doesn't work, does it. Can you provide a working (HTML) testcase to get to these 'malformed' error pages?

Comment 2

[:Wester]

My opinion is：

1."About:" domain should not exist html injection;

2.I can use it for Phishing;And in order to look more real,I can use http://goo.gl to short url.

"https://goo.gl/sdYSPW" is Pointing to "https://evil.com"

about:neterror?e=deniedPortAccess&u=https://google.com/&d=Please%20visit%20https://goo.gl/sdYSPW%20to%20get%20more%20infomations!

Please see it in attachment "poc2.zip"

Comment 3

[:Wester]

Attachment: poc2.zip

Comment 4

[:Gijs (he/him)]

(In reply to Zhiyang Zeng from comment #2)
> My opinion is：
> 
> 1."About:" domain should not exist html injection;
> 
> 2.I can use it for Phishing;And in order to look more real,I can use
> http://goo.gl to short url.
> 
> "https://goo.gl/sdYSPW" is Pointing to "https://evil.com"
> 
> about:neterror?e=deniedPortAccess&u=https://google.com/
> &d=Please%20visit%20https://goo.gl/sdYSPW%20to%20get%20more%20infomations!
> 
> Please see it in attachment "poc2.zip"

Your attachment isn't a testcase, these are just screenshots.

How do you get the user to load the about: url?

Comment 5

[:Wester]

About your question "How do you get the user to load the about: url?":

As you said,I can't link to these addresses ,I can send these links through email and other message apps only,I guess there is always some users will copy and paste it in browser(if they use firefox).

To sum it up,this phishing attack is diffcult to use，and the harm is not serious.

But,this issue can't be regarded as a normal phenomenon,html injection in "About:" domain is a harmful problem.

What do you think ?

Comment 6

[:Gijs (he/him)]

(In reply to Zhiyang Zeng from comment #5)
> About your question "How do you get the user to load the about: url?":
> 
> As you said,I can't link to these addresses ,I can send these links through
> email and other message apps only,I guess there is always some users will
> copy and paste it in browser(if they use firefox).

Really? Rather than click it, which won't work? With a protocol the user doesn't recognize, like "about:"? I think this is implausible.
 
> To sum it up,this phishing attack is diffcult to use，and the harm is not
> serious.

I would agree.

> But,this issue can't be regarded as a normal phenomenon,html injection in
> "About:" domain is a harmful problem.
> 
> What do you think ?

about: pages are isolated from each other, and the network error pages are themselves unprivileged, so actually I don't think this is a serious issue.

We could add another layer of defense in depth here by avoiding the use of query parameters (and using webidl per-document things instead), but it's not clear to me that that's worth spending a lot of time on.

Dan, I'd suggest we open this up and turn it into an enhancement request / sec-polish/sec-audit for that (removing query params from about:net/certerror and passing information via systems similar to document.failedChannel).

Comment 7

[:Wester]

Yep,this issue is more serious than bug, but it is not a serious security issue.But,I think the HTML injection shouldn't just be regarded as a bug.

I was most surprised that why firefox uses query parameters to construct the page?

Thanks


(In reply to :Gijs from comment #6)
> (In reply to Zhiyang Zeng from comment #5)
> > About your question "How do you get the user to load the about: url?":
> > 
> > As you said,I can't link to these addresses ,I can send these links through
> > email and other message apps only,I guess there is always some users will
> > copy and paste it in browser(if they use firefox).
> 
> Really? Rather than click it, which won't work? With a protocol the user
> doesn't recognize, like "about:"? I think this is implausible.
>  
> > To sum it up,this phishing attack is diffcult to use，and the harm is not
> > serious.
> 
> I would agree.
> 
> > But,this issue can't be regarded as a normal phenomenon,html injection in
> > "About:" domain is a harmful problem.
> > 
> > What do you think ?
> 
> about: pages are isolated from each other, and the network error pages are
> themselves unprivileged, so actually I don't think this is a serious issue.
> 
> We could add another layer of defense in depth here by avoiding the use of
> query parameters (and using webidl per-document things instead), but it's
> not clear to me that that's worth spending a lot of time on.
> 
> Dan, I'd suggest we open this up and turn it into an enhancement request /
> sec-polish/sec-audit for that (removing query params from
> about:net/certerror and passing information via systems similar to
> document.failedChannel).

Comment 8

[Daniel Veditz [:dveditz]]

We put a lot of work into sanitizing these params to avoid spoofing (and as Gijs said, it's no longer openable from the web), but now that we do have better message-passing mechanisms in the front-end code we should re-think this.

Comment 10

[:Wester]

Hello,is there any new progress?

Comment 11

[:Wester]

Any progress？

Comment 12

[:Wester]

Hi,anyone there？

Comment 13

[:Gijs (he/him)]

(In reply to Zhiyang Zeng from comment #12)
> Hi,anyone there？

Yes. If there are updates (suggested patches, anything), they will appear in the bug, and you will get email. This is on our list of things to do, but it is very low priority, so there are no updates right now.

Comment 14

[:Wester]

OK,thank you very much!

Comment 16

[Jose María Acuña]

(In reply to Daniel Veditz [:dveditz] OOO until Sept 23 from comment #8)

We put a lot of work into sanitizing these params to avoid spoofing (and as
Gijs said, it's no longer openable from the web)

It is not true.
PoC:

<button onclick="foo()">go</button>
<script>
function foo(){
open("f:","_blank").document.open();
}
</script>

Comment 17

[:Gijs (he/him)]

(In reply to Jose María Acuña from comment #16)

(In reply to Daniel Veditz [:dveditz] OOO until Sept 23 from comment #8)

We put a lot of work into sanitizing these params to avoid spoofing (and as
Gijs said, it's no longer openable from the web)

It is not true.

Sure, you can trivially do something that causes us to show the error page (linking to a non-existing domain would be another way). What you cannot do is directly open about:neterror/about:certerror yourself with arbitrary parameters.