Closed Bug 162409 Opened 22 years ago Closed 22 years ago

Can trick layout history into filling <input type=file> with text from <input type=text> using key collision

Categories

(Core :: Security, defect)

Product:
Core
Component:
Security
Platform:
x86
Windows 2000
Type:
defect
Priority:
Not set
Severity:
major

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla1.0.1

People

(Reporter: jruderman, Assigned: john)

References

Details

(Keywords: csectype-disclosure, sec-high, Whiteboard: [adt2 RTM] [FIX])

Attachments

(3 files, 2 obsolete files)

better demo: uploads c:\test.txt
1.31 KB, text/html
Details
Patch -u
2.99 KB, patch
sicking
: review+
john
: superreview+
john
: approval+
Details | Diff | Splinter Review
Linux-friendly testcase
1.51 KB, text/html
Details 
Layout history uses keys that look like this to refill forms in session history:
Tagname>InputName>InputType>FormName>IndexInForm

InputName and FormName can contain the > character, so it is possible to trick
layout history into filling the contents of a text field into a file-upload
field.  This allows an attacker to upload a file if he knows its filename.
Attached file lame demo (obsolete) — 
I'm working on a better demo.
Keywords: adt1.0.1, nsbeta1
Thanks to jesus_X and grok for writing the server side of this demo.
Attachment #95035 - Attachment is obsolete: true
Attached patch Patch (obsolete) — Splinter Review 
This fixes the problem by putting all developer-controlled elements *after*
non-developer-controlled elements like type in the key.  Because the key is
used only to match, if the first part (containing the type) does not match the
entire key cannot match.  And since none of the things inserted can be
controlled directly by the developer, there is no chance of messing up that
crucial part. 

This has been tested against http://www.johnkeiser.com/cgi-bin/mozform.pl (to
ensure no regressions), Bugzilla bug entry and attachment pages, and the
enclosed testcase.
Attached patch Patch -uSplinter Review 
Universal diff of previous patch.
Attachment #95073 - Attachment is obsolete: true
sicking, bz, reviews?
Status: NEW → ASSIGNED
Whiteboard: [FIX]
Comment on attachment 95074 [details] [diff] [review]
Patch -u

sr=bzbarsky
Attachment #95074 - Flags: superreview+
Comment on attachment 95074 [details] [diff] [review]
Patch -u

r=sicking
Attachment #95074 - Flags: superreview+ → review+
It might be worth adding some comment to make sure that noone changes this
again. IE something about that author-data should be last so that it can't
tamper with the type.
I actually considered that but figured people watching the checkin would notice;
it would be nice to make this checkin seem as benign as humanly possible given
the horrifying scope of the exploit.
Marking as ADT2 RTM, until we can discuss the severity and discoverability of
this one with jesse and mitch.
Blocks: 143047
Keywords: nsbeta1nsbeta1+
Whiteboard: [FIX] → [adt2 RTM] [FIX]
Target Milestone: --- → mozilla1.0.1
Fix checked in to trunk.  Leaving open until we decide what else to do with it.
Comment on attachment 95074 [details] [diff] [review]
Patch -u

a=asa for 1.0.x (asa gave approval just now)
Attachment #95074 - Flags: superreview+
Attachment #95074 - Flags: approval+
Keywords: mozilla1.0.1+
Checked in on 1.1 branch.

    
    

    
  
Tested on Linux with the following:

1. Netscape 7.0 PR1
2. Patch build based on 8/13 trunk build

Using the testcase created in comment 14, clicked on the button 'Make me upload
/etc/passwd'.

Results:
In Netscape 7.0PR1 contents of file were returned.
With patch build, contents of file were NOT returned.



    
    

    
  
adding adt1.0.1+.  Please check this in tonight.
Keywords: adt1.0.1adt1.0.1+

    
    

    
  
jkeiser: Did we not check this into the 1.0 branch? Ia sk because there is no
"fixed1.0.1" marking in the keywords, nor did I see a comment saying this was
checked into the 1.0 branch, after Scott provided ADT approval. Pls advise ...

    
    

    
  
According to bonsai, this was checked in last night, so marking fixed1.0.1
Keywords: fixed1.0.1

    
    

    
  
Yes, sorry, things got hectic last night.  It should be in this morning's builds.

This is all the builds I am concerned with, resolving fixed.

We need to notify the embedders we know about so that they can pick up this fix.
Status: ASSIGNED → RESOLVED
Closed: 22 years ago
Resolution: --- → FIXED

    
    

    
  
bsharma: bindu, pls verify this as fixed on the 1.0 branch and the trunk.

    
    

    
  
Verified on 2002-08-14-trunk build on Win 2000.

Loaded test cases in comment #1, #2, #3.

All of them give either error or exception in the JS console.

Status: RESOLVED → VERIFIED

    
    

    
  
Verified on 2002-08-15-branch build on Win 2000.

Loaded comment #1, #2 and #3 and all of them gave the appropriate error messages.
Keywords: fixed1.0.1verified1.0.1
Group: security?
Group: security?
Group: security

    
  
Keywords: csec-disclosure, 
          
            sec-high

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: