Same-Origin Policy Bypass Image Size Leak in Drag and Drop
Categories
(Core :: DOM: Copy & Paste and Drag & Drop, defect, P2)
Tracking
()
People
(Reporter: dlehgus1023, Assigned: tschuster)
References
(Regression)
Details
(Keywords: csectype-disclosure, regression, sec-low, Whiteboard: [disclosure deadline 2023-04-29][adv-main110+])
Attachments
(3 files, 1 obsolete file)
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36
Steps to reproduce:
Title
- Same-Origin Policy Bypass Image Size Leak in Drag and Drop
Summary
- A Same-Origin Policy Bypass vulnerability exists in the Drag and Drop
- If this vulnerability is exploited, it is possible to bypass the Same-Origin Policy and leak the size of the Image.
Test environment
- Product : Mozilla Firefox 109
- OS : Windows 10 (21H2), macOS Ventura 13.2
Proof-of-Concept
- Please check the attached file!
Reproduce
- Open the server and access the poc page.
- When you drag and drop an image, the size of the image is leaked.
CREDIT Information
- Dohyun Lee (@l33d0hyun) of SSD Labs
similar case:
CVE-2022-42824 : Same-Origin Policy Bypass Image Size Leak in Apple Safari
https://support.apple.com/ko-kr/HT213495
This bug is subject to a 90-day disclosure deadline. If a fix for this
issue is made available to users before the end of the 90-day deadline,
this bug report will become public 30 days after the fix was made
available. Otherwise, this bug report will become public at the deadline.
The scheduled deadline is 2023-04-29.
Updated•1 year ago
|
Comment 4•1 year ago
|
||
Bug 1812611 should fix this case, we would simply not allow access to the image data when dragging in the same tab.
Comment 5•1 year ago
|
||
Does that mean this is also a regression from bug 1437126?
Updated•1 year ago
|
Updated•1 year ago
|
Comment 6•1 year ago
|
||
Set release status flags based on info from the regressing bug 1437126
This vulnerability works in the same way as the Safari SOP Bypass vulnerabilities I recently reported to Apple, CVE-2022-42824 and CVE-2022-46698.
There was no mention of firefox, but the PoC(CVE-2022-42824, CVE-2022-46698) for it has been released to some people, so a quick patch may be needed.
+crbug.com/1264873 has a very similar poc.
- Please set the sec-level and severity.
Updated•1 year ago
|
Updated•1 year ago
|
Comment 8•1 year ago
|
||
We'll look at this bug later today in our security triage meeting and assign a rating, hopefully.
Updated•1 year ago
|
Updated•1 year ago
|
Comment 9•1 year ago
|
||
The bug is marked as tracked for firefox110 (beta) and tracked for firefox111 (nightly). We have limited time to fix this, the soft freeze is in 7 days. However, the bug still isn't assigned.
:hsinyi, could you please find an assignee for this tracked bug? Given that it is a regression and we know the cause, we could also simply backout the regressor. If you disagree with the tracking decision, please talk with the release managers.
For more information, please visit auto_nag documentation.
Comment 10•1 year ago
|
||
Tom, could you mark this bug as fixed if it was indeed entirely fixed by bug 1812611? Thanks.
Updated•1 year ago
|
Assignee | ||
Comment 11•1 year ago
|
||
This indeed entirely fixed by disabling the feature as done in bug 1812611.
Comment 13•1 year ago
|
||
Please stop need-infoing me. Other people will look at this.
Updated•1 year ago
|
Updated•1 year ago
|
Comment 14•1 year ago
|
||
(In reply to DoHyun Lee from comment #12)
can i get a cve id??
CVEs are typically assigned closer to release of the versions where fixes are shipped. If you are wondering about bug bounties, the bug bounty committee typically meets once a week to make decisions about those. This bug will be updated when either of those things happens.
Updated•1 year ago
|
Updated•1 year ago
|
Comment 15•1 year ago
|
||
Reporter | ||
Comment 16•1 year ago
|
||
CREDIT Information,
Dohyun Lee (@l33d0hyun) of SSD Labs
Thanks!
Updated•1 year ago
|
Updated•1 year ago
|
Reporter | ||
Comment 17•1 year ago
|
||
(In reply to DoHyun Lee from comment #16)
CREDIT Information,
Dohyun Lee (@l33d0hyun) of SSD Labs
Thanks!
Please check comment 16!
Comment 18•1 year ago
|
||
Reporter | ||
Comment 20•1 year ago
|
||
Thank you :)
Updated•1 year ago
|
Comment 21•1 year ago
•
|
||
Reproduced the issue with Firefox 111.0a1 (2023-01-29) on Windows 10x64. Loaded the attached test case inside a simple python server and dragged an image which resulted in showing the image size in an alert box.
The image size alert box is no longer displayed when dragging the images from the attached test case with Firefox 110.0.1, 111.0b8 and 112.0a1 (2023-03-05) on Windows 10x64, macOS 12 and Ubuntu 20.04.
Just to be extra safe, is the above verification enough? I am not sure if I should look for anything else in order to verify this issue. Thank you in advance!
Assignee | ||
Comment 22•1 year ago
|
||
Thanks Alexandru!
Just to be extra safe, is the above verification enough? I am not sure if I should look for anything else in order to verify this issue. Thank you in advance!
That is good enough. I had previously verified the fix on Nightly myself as well.
(In reply to Tom Schuster (MoCo) from comment #22)
Thanks Alexandru!
Just to be extra safe, is the above verification enough? I am not sure if I should look for anything else in order to verify this issue. Thank you in advance!
That is good enough. I had previously verified the fix on Nightly myself as well.
Thank you!
Closing per comment 21 and comment 22.
Updated•7 months ago
|
Description
•