Closed
Bug 1425267
(CVE-2018-5113)
Opened 6 years ago
Closed 6 years ago
browser.identity.launchWebAuthFlow can open privileged pages
Categories
(WebExtensions :: General, defect)
Tracking
(firefox-esr52 unaffected, firefox59 fixed)
RESOLVED
FIXED
mozilla59
Tracking | Status | |
---|---|---|
firefox-esr52 | --- | unaffected |
firefox59 | --- | fixed |
People
(Reporter: qab, Assigned: mixedpuppy)
Details
(Keywords: sec-moderate, Whiteboard: [adv-main58+][post-critsmash-triage])
Attachments
(2 files)
4.03 KB,
application/x-zip-compressed
|
Details | |
2.76 KB,
patch
|
rpl
:
review+
gchang
:
approval-mozilla-beta+
|
Details | Diff | Splinter Review |
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36 Steps to reproduce: 1. Unpack attached PoC addon 2. Go to about:debugging and temporarily load the unpacked addon 3. 'about:addons' is opened in new window Actual results: browser.identity.launchWebAuthFlow does not check whether the passed URL is http/s only. We can open privileged about: pages as well as file: urls. Expected results: It should only open http/s (maybe other) URI schemes.
Comment 1•6 years ago
|
||
Shane, given bug 1305421, I guess you know about this?
Group: firefox-core-security → toolkit-core-security
Component: Untriaged → WebExtensions: General
Flags: needinfo?(mixedpuppy)
Product: Firefox → Toolkit
Comment 3•6 years ago
|
||
Redirecting back to Shane which is already looking into this.
Flags: needinfo?(lgreco) → needinfo?(mixedpuppy)
Assignee | ||
Comment 4•6 years ago
|
||
Assignee: nobody → mixedpuppy
Flags: needinfo?(mixedpuppy)
Attachment #8938122 -
Flags: review?(lgreco)
Updated•6 years ago
|
Attachment #8938122 -
Flags: review?(lgreco) → review+
Assignee | ||
Comment 5•6 years ago
|
||
FYI I'm not certain this is any real security concern here. Extensions should get no more access to eg. about:addons opened this way than they would if a user opened a tab to it. Nonetheless, it is fixed.
Reporter | ||
Comment 6•6 years ago
|
||
(In reply to Shane Caraveo (:mixedpuppy) from comment #5) > FYI I'm not certain this is any real security concern here. Extensions > should get no more access to eg. about:addons opened this way than they > would if a user opened a tab to it. Nonetheless, it is fixed. This bug alone is not that dangerous, like the only security issue I can think of is opening 'about:addons' as soon as a user drags a link pointing to an addon and then once its dropped it will attempt to install. Another example is that I found an xss in one of the about: pages which alone is not exploitable due to having the victim type the url manually to open the effected about: page. But coupled with this bug the whole process is automated resulting in a sec-highISH security exploit. So technically this bug is a sec-moderate issue ( https://www.mozilla.org/en-US/security/advisories/mfsa2017-21/#0 )
Reporter | ||
Comment 7•6 years ago
|
||
The above URL should have a hash pointing to "CVE-2017-7816: WebExtensions can load about: URLs in extension UI" Not sure why it did that.
Updated•6 years ago
|
Keywords: sec-moderate
Assignee | ||
Comment 8•6 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/0c4f3b8d311e4751dafc00d689c3bf07f17c15dd Bug 1425267 fix url param schema for launchWebAuthFlow, r=rpl
Assignee | ||
Comment 9•6 years ago
|
||
Comment on attachment 8938122 [details] [diff] [review] fix url param schema for launchWebAuthFlow Requesting now so this is not lost over the break. Approval Request Comment [Feature/Bug causing the regression]: identity api [User impact if declined]: possible to open local urls [Is this code covered by automated tests?]: yes [Has the fix been verified in Nightly?]: not yet [Needs manual test from QE? If yes, steps to reproduce]: yes, see opening comment for str [List of other uplifts needed for the feature/fix]: none [Is the change risky?]: no [Why is the change risky/not risky?]: no new code paths, just limiting api arguments via schema [String changes made/needed]: none
Attachment #8938122 -
Flags: approval-mozilla-beta?
Comment 10•6 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/0c4f3b8d311e
Status: UNCONFIRMED → RESOLVED
Closed: 6 years ago
status-firefox59:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla59
Comment 11•6 years ago
|
||
Comment on attachment 8938122 [details] [diff] [review] fix url param schema for launchWebAuthFlow Fix a security issue which is possible to open local urls. Beta58+.
Attachment #8938122 -
Flags: approval-mozilla-beta? → approval-mozilla-beta+
Updated•6 years ago
|
status-firefox58:
--- → affected
Comment 12•6 years ago
|
||
uplift |
https://hg.mozilla.org/releases/mozilla-beta/rev/f926975917f9579d2097552f943aece7f6cb4dc8
Updated•6 years ago
|
status-firefox57:
--- → wontfix
status-firefox-esr52:
--- → unaffected
Updated•6 years ago
|
Whiteboard: [adv-main58+]
Updated•6 years ago
|
Alias: CVE-2018-5113
Updated•6 years ago
|
Flags: sec-bounty?
Updated•6 years ago
|
Whiteboard: [adv-main58+] → [adv-main58+][post-critsmash-triage]
Updated•6 years ago
|
Group: toolkit-core-security → core-security-release
Updated•6 years ago
|
Flags: sec-bounty? → sec-bounty+
Updated•6 years ago
|
Product: Toolkit → WebExtensions
Updated•6 years ago
|
You need to log in
before you can comment on or make changes to this bug.
Description
•