about:neterror shouldn't use URL params for messages (error spoofing)

RESOLVED DUPLICATE of bug 1196267

Status

()

Firefox
General
RESOLVED DUPLICATE of bug 1196267
a year ago
10 months ago

People

(Reporter: Zhiyang Zeng, Unassigned)

Tracking

51 Branch
x86_64
Mac OS X
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(2 attachments)

166.65 KB, image/png
Details
612.19 KB, application/zip
Details
(Reporter)

Description

a year ago
Created attachment 8837023 [details]
poc.png

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36

Steps to reproduce:

1.visit following link:

about:neterror?e=deniedPortAccess&u=https://google.com/&d=fake%20firefox!!

about:neterror?e=malformedURI&u=about:&c=&f=regular&d=fake%20firefox!!!!

2.you will find net error page has been changed,fake success!

3.firefox version:51.0.1 macOS version:10.12.3


Actual results:

net error page faked!


Expected results:

show default page,my data should not be displayed on the page.
(Reporter)

Updated

a year ago
OS: Unspecified → Mac OS X
Hardware: Unspecified → x86_64

Comment 1

a year ago
Web pages can't link to these addresses. You can manually type them into the address bar, but that doesn't really help if you're trying to spoof.

(In reply to Zhiyang Zeng from comment #0)
> 1.visit following link:
> 
> about:neterror?e=deniedPortAccess&u=https://google.com/&d=fake%20firefox!!
> 
> about:neterror?e=malformedURI&u=about:&c=&f=regular&d=fake%20firefox!!!!

How? They aren't links. If you put them on an http: page with an explicit <a href...>, clicking them doesn't work, does it. Can you provide a working (HTML) testcase to get to these 'malformed' error pages?
Flags: needinfo?(evilzyzeng)
(Reporter)

Comment 2

a year ago
My opinion is:

1."About:" domain should not exist html injection;

2.I can use it for Phishing;And in order to look more real,I can use http://goo.gl to short url.

"https://goo.gl/sdYSPW" is Pointing to "https://evil.com"

about:neterror?e=deniedPortAccess&u=https://google.com/&d=Please%20visit%20https://goo.gl/sdYSPW%20to%20get%20more%20infomations!

Please see it in attachment "poc2.zip"
Flags: needinfo?(evilzyzeng)
(Reporter)

Comment 3

a year ago
Created attachment 8837117 [details]
poc2.zip

Comment 4

a year ago
(In reply to Zhiyang Zeng from comment #2)
> My opinion is:
> 
> 1."About:" domain should not exist html injection;
> 
> 2.I can use it for Phishing;And in order to look more real,I can use
> http://goo.gl to short url.
> 
> "https://goo.gl/sdYSPW" is Pointing to "https://evil.com"
> 
> about:neterror?e=deniedPortAccess&u=https://google.com/
> &d=Please%20visit%20https://goo.gl/sdYSPW%20to%20get%20more%20infomations!
> 
> Please see it in attachment "poc2.zip"

Your attachment isn't a testcase, these are just screenshots.

How do you get the user to load the about: url?
Flags: needinfo?(evilzyzeng)
(Reporter)

Comment 5

a year ago
About your question "How do you get the user to load the about: url?":

As you said,I can't link to these addresses ,I can send these links through email and other message apps only,I guess there is always some users will copy and paste it in browser(if they use firefox).

To sum it up,this phishing attack is diffcult to use,and the harm is not serious.

But,this issue can't be regarded as a normal phenomenon,html injection in "About:" domain is a harmful problem.

What do you think ?
Flags: needinfo?(evilzyzeng)

Comment 6

a year ago
(In reply to Zhiyang Zeng from comment #5)
> About your question "How do you get the user to load the about: url?":
> 
> As you said,I can't link to these addresses ,I can send these links through
> email and other message apps only,I guess there is always some users will
> copy and paste it in browser(if they use firefox).

Really? Rather than click it, which won't work? With a protocol the user doesn't recognize, like "about:"? I think this is implausible.
 
> To sum it up,this phishing attack is diffcult to use,and the harm is not
> serious.

I would agree.

> But,this issue can't be regarded as a normal phenomenon,html injection in
> "About:" domain is a harmful problem.
> 
> What do you think ?

about: pages are isolated from each other, and the network error pages are themselves unprivileged, so actually I don't think this is a serious issue.

We could add another layer of defense in depth here by avoiding the use of query parameters (and using webidl per-document things instead), but it's not clear to me that that's worth spending a lot of time on.

Dan, I'd suggest we open this up and turn it into an enhancement request / sec-polish/sec-audit for that (removing query params from about:net/certerror and passing information via systems similar to document.failedChannel).
Flags: needinfo?(dveditz)
(Reporter)

Comment 7

a year ago
Yep,this issue is more serious than bug, but it is not a serious security issue.But,I think the HTML injection shouldn't just be regarded as a bug.

I was most surprised that why firefox uses query parameters to construct the page?

Thanks


(In reply to :Gijs from comment #6)
> (In reply to Zhiyang Zeng from comment #5)
> > About your question "How do you get the user to load the about: url?":
> > 
> > As you said,I can't link to these addresses ,I can send these links through
> > email and other message apps only,I guess there is always some users will
> > copy and paste it in browser(if they use firefox).
> 
> Really? Rather than click it, which won't work? With a protocol the user
> doesn't recognize, like "about:"? I think this is implausible.
>  
> > To sum it up,this phishing attack is diffcult to use,and the harm is not
> > serious.
> 
> I would agree.
> 
> > But,this issue can't be regarded as a normal phenomenon,html injection in
> > "About:" domain is a harmful problem.
> > 
> > What do you think ?
> 
> about: pages are isolated from each other, and the network error pages are
> themselves unprivileged, so actually I don't think this is a serious issue.
> 
> We could add another layer of defense in depth here by avoiding the use of
> query parameters (and using webidl per-document things instead), but it's
> not clear to me that that's worth spending a lot of time on.
> 
> Dan, I'd suggest we open this up and turn it into an enhancement request /
> sec-polish/sec-audit for that (removing query params from
> about:net/certerror and passing information via systems similar to
> document.failedChannel).
We put a lot of work into sanitizing these params to avoid spoofing (and as Gijs said, it's no longer openable from the web), but now that we do have better message-passing mechanisms in the front-end code we should re-think this.
Group: firefox-core-security
Status: UNCONFIRMED → NEW
Ever confirmed: true
Flags: needinfo?(dveditz)
Summary: fake net error page in firefox → about:neterror shouldn't use URL params for messages (error spoofing)

Updated

a year ago
Duplicate of this bug: 1342855

Updated

a year ago
Component: Untriaged → General
(Reporter)

Comment 10

a year ago
Hello,is there any new progress?
(Reporter)

Comment 11

a year ago
Any progress?
(Reporter)

Comment 12

11 months ago
Hi,anyone there?

Comment 13

11 months ago
(In reply to Zhiyang Zeng from comment #12)
> Hi,anyone there?

Yes. If there are updates (suggested patches, anything), they will appear in the bug, and you will get email. This is on our list of things to do, but it is very low priority, so there are no updates right now.
(Reporter)

Comment 14

11 months ago
OK,thank you very much!

Updated

10 months ago
Status: NEW → RESOLVED
Last Resolved: 10 months ago
Resolution: --- → DUPLICATE
Duplicate of bug: 1196267
You need to log in before you can comment on or make changes to this bug.