The default bug view has changed. See this FAQ.

XMLHttpRequest allows reading of local files

VERIFIED FIXED in mozilla1.0

Status

()

Core
DOM
P1
critical
VERIFIED FIXED
15 years ago
4 years ago

People

(Reporter: Giscard Girard, Assigned: Darin Fisher)

Tracking

({topembed+})

Trunk
mozilla1.0
topembed+
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [ADT1][m5+][fixed-trunk], URL)

Attachments

(3 attachments, 2 obsolete attachments)

(Reporter)

Description

15 years ago
When an http server redirects the user to a local file, XMLHttpRequest gets
tricked into thinking the page came from the http server.
i can confirm this with win2k build 20020428..
Status: UNCONFIRMED → NEW
Ever confirmed: true
I am marking this bug Security-Sensitive. That means only people in the Bugzilla
security group and everyone whose email appears in the fields of the bug
(reporter, etc.) will be able to view it. If anyone objects, simply uncheck the
box above.
Assignee: jst → mstoltz
Group: security?
Target Milestone: --- → mozilla1.0
(Reporter)

Comment 3

15 years ago
The folks at greymagic found this bug.  Just so there's no confusion, I take no
responsability for finding this bug.

Updated

15 years ago
Keywords: nsbeta1, topembed
QA Contact: lchiang → bsharma
BTW: http://www.theregister.co.uk/content/4/25079.html

It looks like the problem is that http doesn't do any security handling itsself.
Instead, it relies on docshell to call CheckLoadURI in its OnRedirect handler -
see http://lxr.mozilla.org/seamonkey/source/uriloader/base/nsDocLoader.cpp#1270

darin, Mitch - should http be doing its own security checks? Is there ever a
case where we don't want these run?
In 1.0RC1, this test case crashes for me on linux. A local test case sometimes
crashes, and sometimes hangs, depending on the details of my redirect. I don't
have a branch debug build to work our where this is happening.

On the trunk, using that test page, I can load chrome urls, and have the text
appear. I can't load js ones, though, because the channel doesn't provide an
nsIInterfaceRequestor for us to get teh script global from, so I hit the
assertion in nsJSThunk::EvaluateScript.

Updated

15 years ago
Blocks: 138000
Any point in keeping this closed now that the Register has pasted the (trivial)
sample code, as well as the GreyMagic advisory page having a working demonstration?
cls and timeless are going to turn off xmlextras in the default build until we
have a fix, so I'm adding them to the cc:.  Whatever fix-patch we end up with
can tweak configure.in again.

Comment 8

15 years ago
Created attachment 81685 [details] [diff] [review]
remove xmlextras from configure.in

Comment 9

15 years ago
Comment on attachment 81685 [details] [diff] [review]
remove xmlextras from configure.in

Noted on IRC but for the record, r=cls.

FYI, this change is going to remove xmlextras from the build completely.  To
enable it in a build, you'll have to explicitly specify it: e.g.
--enable-extensions=all,xmlextras
Attachment #81685 - Flags: review+

Comment 10

15 years ago
cc'ing heikki the module owner for xmlextras
(Reporter)

Comment 11

15 years ago
Created attachment 81704 [details]
calls document.load('redir.asp')
*** Bug 141208 has been marked as a duplicate of this bug. ***
(Reporter)

Comment 13

15 years ago
Created attachment 81705 [details]
redirects to file:///c:/test.xml
(Reporter)

Comment 14

15 years ago
This bug is also affected by document.load().  To test this 
put load.html and redir.asp on a webserver.  
point your browser to http://<yourwebserver>/load.html.  
load.html will display c:/test.xml in your browser.
I don't think there is point in keeping this secret, it is public knowledge now
(articles at The Register etc.).

This also affects document.load(), which you cannot disable by disabling
xmlextras from the build. This needs a real fix.

Marking nsbeta1+ and topembed+ (pretty sure Jud would not mind;).
Keywords: nsbeta1, topembed → nsbeta1+, topembed+
Priority: -- → P1
Whiteboard: [ADT1]
(Assignee)

Comment 16

15 years ago
two solutions:

1) make sure we have an nsIHttpEventSink::OnRedirect implementation whenever
loading http URLs.

2) make http call CheckLoadURI itself.

i'd prefer to go the route of solution 1 if at all possible.  i know it's
riskier, but it would keep things more modular (necko would have to depend on caps).
(Assignee)

Comment 17

15 years ago
Created attachment 81716 [details] [diff] [review]
patch - solution #2

this patch ensures that CheckLoadURI is called for all HTTP redirects.
(Assignee)

Comment 18

15 years ago
can people try out this patch and verify that it does indeed fix this bug?  thx!
(Assignee)

Comment 19

15 years ago
ok, i verified this patch against an XMLHttpRequest based exploit.

if inside the netscape firewall, see http://unagi.mcom.com/~darinf/test.html

if you have a local file on your system with the URL file:///tmp/test.txt,
you'll see it's contents appear in an alert box when you load test.html.  if you
apply my patch, you'll no longer see any text in the alert box.
(Assignee)

Comment 20

15 years ago
-> me
Assignee: mstoltz → darin
(Assignee)

Comment 21

15 years ago
Created attachment 81725 [details] [diff] [review]
patch - same thing, with equivalent code commented out of nsDocLoader.cpp

this patch comments out the redundant code in nsDocLoader.cpp
(Assignee)

Updated

15 years ago
Keywords: adt1.0.0, mozilla1.0+

Comment 22

15 years ago
adding the to beta stopper list.  Who should r=/sr= this?
Whiteboard: [ADT1] → [ADT1][m5+]

Updated

15 years ago
Keywords: adt1.0.0, mozilla1.0+
Priority: P1 → --
Whiteboard: [ADT1][m5+] → [ADT1]

Comment 23

15 years ago
undoing the keyword, whiteboard and priority changes i wiped away with
my last change. sorry. readding nsbeta1+ and topembed+ because it looks
like those were removed accidently as well.
Keywords: adt1.0.0, mozilla1.0+
Priority: -- → P1
Whiteboard: [ADT1] → [ADT1][m5+]
I tried to make document.load() tests for Apache, but they don't seem to work.
These are on an internal Netscape server (Netscape people should be able to log
in normally if you want to tweak things).

http://green.nscp.aoltw.net/heikki/141061/load-win.html (c:\temp\test.txt)
http://green.nscp.aoltw.net/heikki/141061/load-unix.html (/tmp/test.txt)

Anyone who could test the load tests from Giscard with Darin's patch?
Keywords: adt1.0.0, mozilla1.0+
Whiteboard: [ADT1][m5+] → [ADT1]
Oops, sorry, I can confirm this fixes the document.load() bug on Windows as well.
To test the load() tests, place test.xml file on your local disc.
c:\temp\test.xml for Windows and /tmp/test.xml for Unix.

That test file could be something as simple as: <doc>Foobar</doc>
Comment on attachment 81725 [details] [diff] [review]
patch - same thing, with equivalent code commented out of nsDocLoader.cpp

Looks good. r=mstoltz
Attachment #81725 - Flags: review+

Comment 28

15 years ago
putting back on the beta stopper list.
Whiteboard: [ADT1] → [ADT1][m5+]
I'd like to keep this bug security-confidential for another day or two. If
anyone objects, please send mail to security-group@mozilla.org and we'll discuss
it there - NOT here in the bug.

Comment 30

15 years ago
patch manager is really good at bad collisions...
Keywords: adt1.0.0, mozilla1.0+
On second thought, let's open up the bug. Transparency is good.
Group: security?
Has anyone got a debug branch build to see if this fixes the crash, too?
Comment on attachment 81725 [details] [diff] [review]
patch - same thing, with equivalent code commented out of nsDocLoader.cpp

sr=heikki
Attachment #81725 - Flags: superreview+
Attachment #81685 - Attachment is obsolete: true
Attachment #81716 - Attachment is obsolete: true
The crash was another issue, it has been fixed in XMLHttpRequest on the trunk &
branch. Harishd just made a patch for document.load() case. Basically the crash
occurred when those objects were used to load non-XML data, especially if they
contained stylesheets.

I am making a testcase to see if this fixes the case of redirecting stylesheets.

Comment 35

15 years ago
Comment on attachment 81725 [details] [diff] [review]
patch - same thing, with equivalent code commented out of nsDocLoader.cpp

a=asa (on behalf of drivers) for checkin to the 1.0 branch
Attachment #81725 - Flags: approval+
Create test.css file with contents

p {color:red;}

and place it in c:\temp\test.css, then point your browser into this URL

http://green.nscp.aoltw.net/heikki/141061/style-win.html

Confirmed that this patch fixes that as well. This bug was reported on bugtraq.
*** Bug 141348 has been marked as a duplicate of this bug. ***
(Assignee)

Comment 38

15 years ago
fixed-on-trunk
Status: NEW → ASSIGNED
Whiteboard: [ADT1][m5+] → [ADT1][m5+][fixed-trunk]

Comment 39

15 years ago
adding adt1.0.0+.  Please check this into the branch as soon as possible and add
the fixed1.0.0 keyword.
Keywords: adt1.0.0 → adt1.0.0+

Comment 40

15 years ago
Also fixed on 1.0 branch.
shouldn't this be marked FIXED now?
Keywords: fixed1.0.0

Comment 42

15 years ago
*** Bug 141453 has been marked as a duplicate of this bug. ***
(Assignee)

Comment 43

15 years ago
marking FIXED
Status: ASSIGNED → RESOLVED
Last Resolved: 15 years ago
Resolution: --- → FIXED

Comment 44

15 years ago
*** Bug 141551 has been marked as a duplicate of this bug. ***

Comment 45

15 years ago
*** Bug 141727 has been marked as a duplicate of this bug. ***

Comment 46

15 years ago
*** Bug 141755 has been marked as a duplicate of this bug. ***
(Assignee)

Updated

15 years ago
Keywords: fixed0.9.4

Comment 47

15 years ago
Verified on 2002-05-01-trunk and 2002-05-01-branch on WinNT

3 testcases:
1. URL
2. barrowma.com/redirtest.html
3. test provided by Heikki

work fine.
Status: RESOLVED → VERIFIED
Keywords: fixed1.0.0 → verified1.0.0

Comment 48

15 years ago
I was playing around with the exploit example page at
http://sec.greymagic.com/adv/gm001-ns/ and i was wondering about what appears to
be a similar problem.

After updating to the very latest (fixed) Moz, the file://whatever hole seems to
be fixed. However, if i type, say, http://slashdot.org/users.pl?op=edituser into
the textbox and click "sniff", the content that their site grabs from me
includes what is supposed to be private data -- my email address and so on. 

Could an approach similar to this bug be used to, say, grab someone's stock
portfolio information by sniffing a URL at Yahoo Finance?
Mike, chances are the answer is "yes", from what I remember of this code...
could you please file a separate bug on it?
(Assignee)

Comment 50

15 years ago
Mike: yup, you raise a good point... however, short of breaking compatibility
with a large number of websites, there is very little we can do to avoid that
security risk.  IMO, concerned users ought to disable javascript anyways when
potentially visiting a malicious website.
I can fix the problem Mike mentioned in XMLHttpRequest itself (maybe also for
document.load but I am not sure). I'll do that in bug 133170.
Darin, what sites?  Who uses this?  And this seems like a serious problem, one
that will show up.  I don't want to ship like that.  Heikki, do we need to make
sure that the bug you mentioned stays on the 1.0 radar?
(Assignee)

Comment 53

15 years ago
blizzard: i was referring primarily to document.load ... seems like it'd be
common place for websites to document.load an URL that results in a redirect to
a site under a different domain.  so, how can we block cross-site redirects on
document.load?  no other browser does, so we'd just end up making the product
incompatible with who-knows-what top100 website.

Comment 54

15 years ago
To get a version which includes the fix, are the nightly builds stable enough 
for download by end-users? Or should they wait for RC2? Any estimate yet on a 
release date for RC2? 
document.load(), and XMLHttpRequest.open() already check if they are allowed to
access the URL that is passed in, and fail if the security check fails. The fact
that you can go around this check by using a redirect seems like a bug to me,
clear and simple.

I created two testcases that show this allows a hacker access to Bugzilla using
my account, and access to W3C member-only sections using my account. The
exploits are possible if I have logged in to Bugzilla (cookies remember my login
and are sent automatically) or W3C (basic auth login remembered and sent
automatically) during this session.

http://green.nscp.aoltw.net/heikki/133170/xmlhttpbugzilla.html
http://green.nscp.aoltw.net/heikki/133170/xmlhttpw3cauth.html

XMLHttpRequest is the more serious issue here because it can give you access to
documents regardless of format. document.load(), I believe, will only be able to
give the hacker access to XML documents. I have a fix for XMLHttpRequest
altready, and I am debugging similar fix for document.load() in bug 133170.

I would advice moving this discussion there.

Comment 56

15 years ago
> Any estimate yet on a release date for RC2?

Any day now.
> Any estimate yet on a release date for RC2?

When all dependencies for bug 138000 are fixed, except the nsIFIle one
for what it's worth, PPEmbed from 5/6/02 1.0 branch still has this problem.

should i reopen? removing verified1.0.0 keyword. we need traction on this asap,
it's a beta blocker for embedding clients.
Keywords: verified1.0.0
never mind, it appears we jumped the gun. this bug appears fixed in 5/6/02
ppembed. someone is toking up without sharing again. ;)

Comment 60

15 years ago
adding back verified1.0.0 based on pinkerton's most recent comments.  It sounds
like new issues are being handled in 133170.
Keywords: verified1.0.0

Comment 61

15 years ago
I was away for a few days; after reading the new comments, i'm not sure whether
you still want me to file a new bug as requested in #49, or if someone else is
taking care of this potential problem.
Mike, that is being covered by bug 133170.

Comment 63

15 years ago
Darin: Will this solve Bug 102262?

I've been wanting that to go away for a long time, but haven't had time to focus
on it.

Comment 64

15 years ago
Verified on 2002-05-08-6.2.3 on WinNT.
3 testcases:

1. URL ("This is blocked by the security manager)
2. barrowma.com/redirtest.html (an empty alert is shown)
3. test provided by Heikki (text is not red)

work fine.

Updated

15 years ago
QA Contact: bsharma → ian
Component: DOM: Mozilla Extensions → DOM
Product: Core → Core
You need to log in before you can comment on or make changes to this bug.