Closed Bug 1447853 Opened 7 years ago Closed 7 years ago

iframe sandbox escape

Categories

(Firefox for iOS :: General, defect)

Product:
Firefox for iOS
Component:
General
Platform:
Other
iOS
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
fxios ? ---

People

(Reporter: s.h.h.n.j.k, Assigned: garvan)

Details

(Keywords: csectype-priv-escalation, reporter-external, sec-moderate)

Attachments

(1 file)

sandbox.html
114 bytes, text/html
Details
Attached file sandbox.html
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36 Steps to reproduce: 1. Open attached file. 2. Click on the link inside iframe. Actual results: No popup shown Expected results: iframe sandbox can be escaped with firefox://open-url?url=URL_here
Flags: sec-bounty?
Just FYI, I would like to publish this bug on November if fixed. It’d be great if this bug could be fixed before that. Thanks!
Note: actual and expected results are reversed. There should be no popup but this is a way to escape the sandbox and get a page opened up. We have a bug like this elsewhere, abusing invented not-web-safe protocols that we allow web pages to call. We absolutely need to prevent these escaping! I wonder if you can use the fact that Firefox is installed to do this exact same escape in Safari or Chrome on iOS :-( This is not just bypassing the popup-prevention aspect of sandboxing. Unless the framed page uses the CSP sandbox this could be a way to open itself in a non-sandboxed context and then run whatever unsafe code is present in the origin of the victim site. Stefan: who can work on this security bug?
Flags: needinfo?(sarentz)
Keywords: csectype-priv-escalation, sec-moderate
Flags: sec-bounty? → sec-bounty+
(In reply to Daniel Veditz [:dveditz] from comment #2) > Stefan: who can work on this security bug?
Assignee: nobody → sarentz
This does not look good. The firefox:// scheme should only work from other applications, not from web content. I am optimistically going to move this into v14.x because I think it is a small fix.
tracking-fxios: --- → ?
Flags: needinfo?(sarentz)
I have a fix and a test case for this if I can take it.
Flags: needinfo?(sarentz)
Assignee: sarentz → gkeeley
Flags: needinfo?(sarentz)
landed on master https://github.com/mozilla-mobile/firefox-ios/commit/9d50d6080f2fa9876921fb8c701e0d4288625061
Status: UNCONFIRMED → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Group: firefox-core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: