Closed Bug 172498 Opened 22 years ago Closed 22 years ago

hcp: exploit on winxp can delete the contents of any directory


(Core :: Security, defect)

Windows XP
Not set





(Reporter: zzxc, Assigned: dveditz)




A windows xp bug allows a url hcp://system/DFS/uplddrvinfo.htm?file://path-to-a-file
to erase that file.  Wildcards can be used to erase an entire directory. 
hcp://system/DFS/uplddrvinfo.htm?file://c:\* would delete anything in the root

In mozilla, as well as IE, this url can be accessed in any way for the exploit
to work, EVEN IN AN IMAGE.  See the url attached to this bug for a demo that
deletes the contents of "c:\delthis" via this url in an image tag.

This leaves anyone who hasn't downloaded the VERY large winxp SP1 at much risk.
 Mozilla should refuse to pass the hcp protocol to windows to deal with -
there's no reason why a web page should be launching the winxp help center.

Please note that this bug in windows has no patch for it - it is only patched in
windows xp.  The hcp protocol should return something like "disabled for
security reasons."
>who hasn't downloaded the VERY large winxp SP1

It's your problem if you don't apply security patches !
(And it's also a problem for other user with bugs like Code Red)
duping to a possible wontfix bug.

*** This bug has been marked as a duplicate of 167475 ***
Closed: 22 years ago
Resolution: --- → DUPLICATE
BTW: there is a better bug in bugzilla but it's AFAIK marked as security bug =
can't search and can't dupe (could be the blocking bug in bug 167475)
This windows bug is more dangerous than most - it doesn't require you to be
running IE.  Many people use mozilla trying to stay safe from IE.  Little do
they know that windows put one of their worst bugs in an external protocol
handler fetched by mozilla, and any website can instantly delete anything on the
user's harddisk.  I think this protocol should be disabled on windows builds (it
wouldn't hurt to do it on all builds because it only exists on windows xp) at
least temporarily.

Also, Microsoft didn't release a security patch for this.  They fixed it
silently with service pack 1, a 130+ megabyte download.  On my windows box, I've
unregistered the protocol... but most people don't even know about it.  Press
coverage of SP1 was that it didn't improve enough, and that people should be in
no hurry to use it.  In fact, it won't be on new windows xp computers until
sometime in 2003.

Until a permanent fix for executing *all* external protocols is found, this
should be done to protect user's data.  Can you think of any reason for mozilla
to launch the windows xp helpdesk?  I can't.

Also, this windows flaw should bring that security bug back to the front burner
- mozilla should NOT allow this to take place.
In addition, there are more security bugs in the windows helpdesk that aren't
even fixed by service pack 1.  Disabling the hcp protocol in mozilla would
protect windows users from this and other bugs arising from the hcp protocol
loading any html file in the helpdesk with elevated permissions.  I would
suggest quietly patching windows builds.
+cc mitch.
You're probably thinking of the vbscript: bug 163648, but it really isn't a dupe
since that calls out vbscript launching IE specifically. If we block all
external protocols it'll catch this one, if we blacklist we need to add this one
Group: security?
Resolution: DUPLICATE → ---
Summary: Mozilla allows winxp flaw to be exploited, deleting the contents of ANY directory on the hard disk → hcp: exploit on winxp can delete the contents of any directory
taking bug
Assignee: new-network-bugs → dveditz
Ever confirmed: true
Keywords: mozilla1.0.2
Target Milestone: --- → mozilla1.2beta
in my email with benc and my irc chat with bbaetz about this (because i wasn't
sure about this duping) i suggested a whitelist. A blacklist would be easier but
a whitelist would be more secure and it would be a final solution (or you must
add every year a new protocol to the list)
Opera has also a whitelist for external protocols

And yes i mean the vbscript bug.
Depends on: 167475, 173010
duping to the vbscript bug since that interim blacklist catches this one too.
We'll leave the preferred solution to one of the remaining non-security bugs
linked above since there's no reason for that work to be confidential

*** This bug has been marked as a duplicate of 163648 ***
Closed: 22 years ago22 years ago
Resolution: --- → DUPLICATE
What component owns the dupe? I'm not permitted to see it, so I'm going to
assume it is not Networking, but Security.

If the bug is relevant to Networking or you need help w/ networking aspects,
feel free to cc me. If not, please do not. 

I need to clean up my resolved/mozilla1.2x bugs, so if I don't hear from anyone
by Friday, I'm going to change components.
->SEC per previous comments
Component: Networking → Security: General
QA Contact: benc → bsharma
Group: security
You need to log in before you can comment on or make changes to this bug.