Closed
Bug 1656746
Opened 4 years ago
Closed 4 years ago
iframe sandbox bypass by fenix://open
Categories
(Fenix :: General, defect)
Tracking
(firefox-esr68 unaffected, firefox-esr78 unaffected, firefox79 verified, firefox80 verified, firefox81 fixed)
RESOLVED
FIXED
| Tracking | Status | |
|---|---|---|
| firefox-esr68 | --- | unaffected |
| firefox-esr78 | --- | unaffected |
| firefox79 | --- | verified |
| firefox80 | --- | verified |
| firefox81 | --- | fixed |
People
(Reporter: sdna.muneaki.nishimura, Assigned: sebastian)
References
()
Details
(Keywords: csectype-priv-escalation, sec-moderate, Whiteboard: [reporter-external] [client-bounty-form] [verif?])
Similar to Bug 1447853 on Firefox iOS, fenix://open?url= on Fenix can bypass <iframe sandbox>.
- Launch http://csrf.jp/2020/fenix_sandbox_bypass.html
- The page contains an <iframe sandbox> that shows a data: page with three URL links
- If you use Fenix Nightly, tap "On Fenix Nightly"
- http://evil.csrf.jp is shown in new tab with bypassing sandbox
Note that the page in the 1) has the following iframe.
<iframe sandbox src="data:text/html,<a href=fenix://open?url=http://evil.csrf.jp>On Fenix</a><br><a href=fenix-beta://open?url=http://evil.csrf.jp>On Fenix Beta</a><br>
<a href=fenix-nightly://open?url=http://evil.csrf.jp>On Fenix Nightly</a>"></iframe>
Flags: sec-bounty?
|
||
Updated•4 years ago
|
Group: firefox-core-security → mobile-core-security
Component: Security → Security: Android
Product: Firefox → Fenix
|
Assignee | |
Comment 1•4 years ago
•
|
||
Will try to address this as part of bug 1656747.
But specifically here noticed that we may not pass the EXTERNAL flag to GeckoView when loading the URL ... and wonder whether we should.
|
||
Comment 2•4 years ago
|
||
Not a blocker for the next Fenix rollout stage. But let's include at the next opportunity, before we hit tier 2 countries.
|
|
Assignee | |
Updated•4 years ago
|
Assignee: nobody → s.kaspari
Status: NEW → ASSIGNED
|
|
Assignee | |
Comment 3•4 years ago
|
||
The patch attached to bug 1656747 addresses this issue too.
|
||
Updated•4 years ago
|
Keywords: csectype-priv-escalation,
sec-moderate
|
||
Updated•4 years ago
|
Group: mobile-core-security → core-security-release
|
|
Assignee | |
Comment 4•4 years ago
|
||
Patch for this landed in AC 48/52 and was part of Fenix build 79.0.3 and 80.0.0 Beta 5.
|
|
||
Updated•4 years ago
|
Status: ASSIGNED → RESOLVED
Type: task → defect
Closed: 4 years ago
status-firefox79:
--- → fixed
status-firefox80:
--- → fixed
status-firefox81:
--- → fixed
status-firefox-esr68:
--- → unaffected
status-firefox-esr78:
--- → unaffected
Resolution: --- → FIXED
|
||
Comment 5•4 years ago
|
||
Verified as fixed on Firefox RC 79.0.3 and 80.0.0 beta 5 with:
- Samsung Galaxy Note 10 (Android 10)
- Google Pixel 3 (Android 11)
- Nokia 6 (Android 7.1.1)
|
|
||
Updated•4 years ago
|
|
|
||
Updated•4 years ago
|
Flags: sec-bounty? → sec-bounty+
|
|
||
Updated•3 years ago
|
Group: core-security-release
|
||
Updated•2 years ago
|
Component: Security: Android → General
OS: Unspecified → Android
You need to log in
before you can comment on or make changes to this bug.
Description
•