Closed Bug 1488180 (CVE-2018-18497) Opened 3 years ago Closed 3 years ago

Extensions can load arbitrary URLs in new windows via "|" separators

Categories

(WebExtensions :: General, defect, P1)

defect

Tracking

(firefox-esr60 wontfix, firefox62 wontfix, firefox63 wontfix, firefox64 verified)

VERIFIED FIXED
mozilla64
Tracking Status
firefox-esr60 --- wontfix
firefox62 --- wontfix
firefox63 --- wontfix
firefox64 --- verified

People

(Reporter: robwu, Assigned: robwu)

References

Details

(Keywords: csectype-priv-escalation, sec-moderate, Whiteboard: [post-critsmash-triage][adv-main64+])

Attachments

(1 file)

Extensions are only allowed to load some URLs (http(s), ftp:, moz-extension:,  and about:blank).

However, these restrictions can be bypassed by using pipes in the URL passed to the browser.windows.create API.

STR
1. Install any add-on (no extension permissions required).
2. Visit about:debugging and click on the Debug button at the add-on.
3. Run the following snippet:

browser.windows.create({
  url: "about:blank?|file:///tmp/|about:config"
});

Expected:
- An "about:blank" URL should be opened (maybe with some junk in its query string).

Actual:
- Three tabs are opened: "about:blank", "file:///tmp" and "about:config". The last two URLs are restricted URLs.


The crazy behavior of | will hopefully be addressed by bug 1485961 (not adding see also because that bug is public).

I will covertly plug this hole (together with bug 1486738) via (public) bug 1393570.
Priority: -- → P1
FIxed by bug 1393570.
Status: ASSIGNED → RESOLVED
Closed: 3 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla64
Group: toolkit-core-security → core-security-release
Flags: qe-verify+
Whiteboard: [post-critsmash-triage]
Verified as fixed using Firefox 64(buildid 20181105164654) on Winsows 10x64 and macOS 10.13.6.

I also confirmed that issue was reproducible on earlier FF versions.

I will attach a postfix screenshot.
Status: RESOLVED → VERIFIED
Flags: qe-verify+
Attached image Postfix screenshot
Whiteboard: [post-critsmash-triage] → [post-critsmash-triage][adv-main64+]
Alias: CVE-2018-18497
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.