Closed
Bug 172498
Opened 21 years ago
Closed 21 years ago
hcp: exploit on winxp can delete the contents of any directory
Categories
(Core :: Security, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 163648
mozilla1.2beta
People
(Reporter: zzxc, Assigned: dveditz)
References
()
Details
A windows xp bug allows a url hcp://system/DFS/uplddrvinfo.htm?file://path-to-a-file to erase that file. Wildcards can be used to erase an entire directory. hcp://system/DFS/uplddrvinfo.htm?file://c:\* would delete anything in the root directory. In mozilla, as well as IE, this url can be accessed in any way for the exploit to work, EVEN IN AN IMAGE. See the url attached to this bug for a demo that deletes the contents of "c:\delthis" via this url in an image tag. This leaves anyone who hasn't downloaded the VERY large winxp SP1 at much risk. Mozilla should refuse to pass the hcp protocol to windows to deal with - there's no reason why a web page should be launching the winxp help center. Please note that this bug in windows has no patch for it - it is only patched in windows xp. The hcp protocol should return something like "disabled for security reasons."
Comment 1•21 years ago
|
||
>who hasn't downloaded the VERY large winxp SP1 It's your problem if you don't apply security patches ! (And it's also a problem for other user with bugs like Code Red) duping to a possible wontfix bug. *** This bug has been marked as a duplicate of 167475 ***
Status: UNCONFIRMED → RESOLVED
Closed: 21 years ago
Resolution: --- → DUPLICATE
Comment 2•21 years ago
|
||
BTW: there is a better bug in bugzilla but it's AFAIK marked as security bug = can't search and can't dupe (could be the blocking bug in bug 167475)
Reporter | ||
Comment 3•21 years ago
|
||
This windows bug is more dangerous than most - it doesn't require you to be running IE. Many people use mozilla trying to stay safe from IE. Little do they know that windows put one of their worst bugs in an external protocol handler fetched by mozilla, and any website can instantly delete anything on the user's harddisk. I think this protocol should be disabled on windows builds (it wouldn't hurt to do it on all builds because it only exists on windows xp) at least temporarily. Also, Microsoft didn't release a security patch for this. They fixed it silently with service pack 1, a 130+ megabyte download. On my windows box, I've unregistered the protocol... but most people don't even know about it. Press coverage of SP1 was that it didn't improve enough, and that people should be in no hurry to use it. In fact, it won't be on new windows xp computers until sometime in 2003. Until a permanent fix for executing *all* external protocols is found, this should be done to protect user's data. Can you think of any reason for mozilla to launch the windows xp helpdesk? I can't. Also, this windows flaw should bring that security bug back to the front burner - mozilla should NOT allow this to take place.
Reporter | ||
Comment 4•21 years ago
|
||
In addition, there are more security bugs in the windows helpdesk that aren't even fixed by service pack 1. Disabling the hcp protocol in mozilla would protect windows users from this and other bugs arising from the hcp protocol loading any html file in the helpdesk with elevated permissions. I would suggest quietly patching windows builds.
Assignee | ||
Comment 6•21 years ago
|
||
You're probably thinking of the vbscript: bug 163648, but it really isn't a dupe since that calls out vbscript launching IE specifically. If we block all external protocols it'll catch this one, if we blacklist we need to add this one explicitly.
Group: security?
Status: RESOLVED → UNCONFIRMED
Resolution: DUPLICATE → ---
Summary: Mozilla allows winxp flaw to be exploited, deleting the contents of ANY directory on the hard disk → hcp: exploit on winxp can delete the contents of any directory
Assignee | ||
Comment 7•21 years ago
|
||
taking bug
Assignee: new-network-bugs → dveditz
Status: UNCONFIRMED → NEW
Ever confirmed: true
Keywords: mozilla1.0.2
Target Milestone: --- → mozilla1.2beta
Comment 8•21 years ago
|
||
dveditz: in my email with benc and my irc chat with bbaetz about this (because i wasn't sure about this duping) i suggested a whitelist. A blacklist would be easier but a whitelist would be more secure and it would be a final solution (or you must add every year a new protocol to the list) Opera has also a whitelist for external protocols And yes i mean the vbscript bug.
Assignee | ||
Comment 9•21 years ago
|
||
duping to the vbscript bug since that interim blacklist catches this one too. We'll leave the preferred solution to one of the remaining non-security bugs linked above since there's no reason for that work to be confidential *** This bug has been marked as a duplicate of 163648 ***
Status: NEW → RESOLVED
Closed: 21 years ago → 21 years ago
Resolution: --- → DUPLICATE
Comment 10•21 years ago
|
||
What component owns the dupe? I'm not permitted to see it, so I'm going to assume it is not Networking, but Security. If the bug is relevant to Networking or you need help w/ networking aspects, feel free to cc me. If not, please do not. I need to clean up my resolved/mozilla1.2x bugs, so if I don't hear from anyone by Friday, I'm going to change components.
Comment 11•21 years ago
|
||
->SEC per previous comments
Component: Networking → Security: General
QA Contact: benc → bsharma
Updated•20 years ago
|
Group: security
You need to log in
before you can comment on or make changes to this bug.
Description
•