Closed
Bug 184436
Opened 22 years ago
Closed 22 years ago
password stealing using prompt() or getSelection()
Categories
(SeaMonkey :: Passwords & Permissions, defect)
Tracking
(Not tracked)
VERIFIED
FIXED
People
(Reporter: bugzilla, Assigned: darin.moz)
References
Details
(Keywords: regression)
Attachments
(2 files)
|
710 bytes,
text/html
|
Details | |
|
895 bytes,
patch
|
dougt
:
review+
dveditz
:
superreview+
|
Details | Diff | Splinter Review |
User-Agent: Mozilla/5.0 (Windows; U; WinNT4.0; en-US; rv:1.3a) Gecko/20021207 Phoenix/0.5
Build Identifier: Mozilla/5.0 (Windows; U; WinNT4.0; en-US; rv:1.3a) Gecko/20021207 Phoenix/0.5
The website xrefer.com have a bookmarklet called XreferIt that lets you search
there online reference material. If you have any text selected then the
JavaScript should pick this up and pass it on to Xrefer. Here's the JS:
javascript:var x;self.onerror = errorHandler;
function errorHandler(message, url, line){
if(x==null || x==''){
void(x=prompt('Please enter text to search xrefer - the web\'s reference
engine.',''));
}
if(x!=null && x!=''){
location.href='http://www.xrefer.com/results.jsp?term='+escape(x)+'&source=xreferit';}return
true;
}
if(frames.length == 0){
x=window.getSelection();
}else{
for(i=0;i<frames.length;i++){if(frames[i].frames.length == 0){
x = frames[i].window.getSelection();
}else{
for(j=0;j<frames[i].frames.length;j++){
x = frames[i].frames[j].window.getSelection();
if(x){
break;
}
}
}
if(x){break;}}}if(x==null || x==''){
void(x=prompt('Enter text to search xrefer - the web\'s reference engine.',''));
}
if(x!=null && x!=''){
location.href= 'http://www.xrefer.com/results.jsp?term=' +
escape(x)+'&source=xreferit';
}
This used to work in 0.4 but in 0.5 it seems that 90% of the time "x" works out
to be my proxy password (the only place Phoenix has this particular password
stored).
Reproducible: Sometimes
Steps to Reproduce:
1. Download the bookmarklet from http://www.xrefer.com/xreferit.jsp
2. Configure the browser to surf via a Proxy server.
3. Store your password and continue to use the bookmarklet.
Actual Results:
Xrefer receives my password via the URL!
Expected Results:
Not my password!
|
||
Comment 1•22 years ago
|
||
Using Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.3a) Gecko/20021207
Phoenix/0.5
I haven't configured a proxy password, however, window.getSelection() returns an
empty string (instead of an undefined). On the other hand,
document.getSelection() returns a password. Reproducibly, this is the first one
from the password list (in the ".s"-file)
|
|
||
Comment 2•22 years ago
|
||
It appears that the problem is not only getSelection(), but also the prompt()
method.
|
||
Comment 3•22 years ago
|
||
This problem was fixed once before, in bug 148520.
Severity: normal → critical
Summary: Bookmarklt using window.getSelection() sends my proxy password as the selected text → Bookmarklet using prompt() or getSelection() sends my proxy password
|
||
Comment 4•22 years ago
|
||
Confirming bug, and this happens in Mozilla as well. Since bug 148520 Jesse
references was in singsign.cpp and Darin just rewrote a chunk of that (checked
in 12/5) I'm going to reassign to him.
Assignee: chanial → darin
Status: UNCONFIRMED → NEW
Component: Bookmarks → Password Manager
Ever confirmed: true
Product: Phoenix → Browser
Version: unspecified → Trunk
|
|
||
Comment 5•22 years ago
|
||
The original summary "Bookmarklet using prompt() or getSelection() sends my
proxy password" minimizes the problem. Users initiate bookmarklets, but any
script can do document.getSelection() without user action, and then send off the
password it gets.
The password appears to be the first one in the .s file (as mentioned by Jesse
in the older bug). The attacker might not know what site it's for, but any
password could be useful in attempting attacks.
Group: security
Keywords: regression
Summary: Bookmarklet using prompt() or getSelection() sends my proxy password → password stealing using prompt() or getSelection()
|
Assignee | |
Comment 6•22 years ago
|
||
simple, low-risk fix.
|
|
Assignee | |
Updated•22 years ago
|
Attachment #109150 -
Flags: superreview?(dveditz)
Attachment #109150 -
Flags: review?(dougt)
|
||
Comment 7•22 years ago
|
||
Comment on attachment 109150 [details] [diff] [review]
v1 patch
fix yup that comment, and add a comment above si_GetURL explaining why passing
null is seriously wrong.
Attachment #109150 -
Flags: review?(dougt) → review+
|
|
||
Comment 8•22 years ago
|
||
Darin thinks this may be the cause of a mail password regression Bienvenu is seeing.
|
||
Comment 9•22 years ago
|
||
it certainly looks like that would fix the problem we're having in mail/news. I
can try applying the patch to make sure.
|
|
||
Comment 10•22 years ago
|
||
yes, thx, it does fix the mailnews problem.
|
|
||
Comment 11•22 years ago
|
||
*** Bug 184571 has been marked as a duplicate of this bug. ***
|
|
||
Comment 12•22 years ago
|
||
Stefan Moebius figured out that the password returned is the first in the .s
file, not me.
|
|
Assignee | |
Comment 13•22 years ago
|
||
*** Bug 184115 has been marked as a duplicate of this bug. ***
|
||
Comment 14•22 years ago
|
||
fwiw, that mail regression that was talked about is the bug 184115 that was
older than this and just marked a duplicate of this one.
|
|
||
Comment 15•22 years ago
|
||
Comment on attachment 109150 [details] [diff] [review]
v1 patch
>+ // XXX how can this be right?!?
>+ LOG((" returning first element in the signon list\n"));
> return (si_SignonURLStruct *) (si_signon_list->ElementAt(0));
boy, I hate leaving this here. This is the second time this
exploit has come up so clearly this odd behavior is a trap
waiting to happen. But this behavior is used by SI_DeleteAll
and SI_RemoveAllSignonData() which pass NULL to si_RemoveUser()
which in turn calls si_GetURL. And knowing a little about this
convoluted code it might not be the only place that's taking
advantage of this magic behavior.
We need to fix that, but let's take the safe fix for now (trying
to get this into 1.3a) and try to clean this up later.
> primaryUrl = si_GetURL(primaryRealm);
>- legacyUrl = si_GetURL(legacyRealm);
>+
>+ if (legacyRealm)
>+ legacyUrl = si_GetURL(legacyRealm);
>+ else
>+ legacyUrl = nsnull;
I'm concerned primaryRealm might also be NULL. The code above this
specific exploit prevents this, but there are other paths into
si_GetCompositeURL that don't pre-flight this value. I'd be
more comfortable if you did both values
primaryUrl = (primaryRealm) ? si_GetURL(primaryRealm) : nsnull;
legacyUrl = (legacyRealm) ? si_GetURL(legacyRealm) : nsnull;
|
|
Assignee | |
Comment 16•22 years ago
|
||
dveditz: i think any change like that is risky. the old code (before
si_GetCompositeURL) allowed for a NULL passwordRealm. i really don't think we
should risk such a change for 1.3 alpha even if it seems like a safe thing.
|
|
||
Comment 17•22 years ago
|
||
Comment on attachment 109150 [details] [diff] [review]
v1 patch
sr=dveditz on this patch unchanged. Darin has convinced me of the virtues of
extreme conservatism in this code since it often breaks in unexpected ways due
to all the interrelations.
Attachment #109150 -
Flags: superreview?(dveditz) → superreview+
|
||
Comment 18•22 years ago
|
||
patch landed on the 1_3a release tag, a=asa
|
|
||
Comment 19•22 years ago
|
||
Since this will make it into 1.3a (leaf is respinning) and didn't affect
previous milestones I guess this doesn't need to be security-sensitive any more.
Group: security
|
|
Assignee | |
Comment 20•22 years ago
|
||
fixed-on-trunk
Status: NEW → RESOLVED
Closed: 22 years ago
Resolution: --- → FIXED
|
|
Assignee | |
Comment 21•22 years ago
|
||
i filed bug 185118 "si_GetURL returns first password entry if given a null
argument" as a followup to this bug.
|
||
Comment 22•22 years ago
|
||
I'll verify this tomorrow. I can also reproduce.
|
||
Comment 23•22 years ago
|
||
using commercial
2002-12-13-08-trunk xp, linux 2.2
2002-12-13-07-trunk mac 10.1.5
the problem with the Mail password as described in bug 184571
has been fixed.
|
|
||
Comment 24•22 years ago
|
||
*** Bug 185246 has been marked as a duplicate of this bug. ***
|
|
||
Comment 25•22 years ago
|
||
I also see this as fixed on the trunk.
|
|
||
Comment 26•22 years ago
|
||
*** Bug 185075 has been marked as a duplicate of this bug. ***
|
||
Comment 27•22 years ago
|
||
*** Bug 184485 has been marked as a duplicate of this bug. ***
|
||
Comment 28•22 years ago
|
||
*** Bug 186072 has been marked as a duplicate of this bug. ***
|
|
||
Comment 29•22 years ago
|
||
*** Bug 187237 has been marked as a duplicate of this bug. ***
|
||
Comment 30•22 years ago
|
||
How would i remove that password from my password manager in Phoenix 0.5? Since
password manager exists, but is inaccessable, what file should i delete to
remove all the stored passwords?
|
|
||
Comment 31•22 years ago
|
||
You need to remove a file whose name consists of 8 numbers + '.s'.
|
||
Comment 32•22 years ago
|
||
Need more information
|
||
Comment 33•22 years ago
|
||
>Need more information
For what ?
This bug is fixed and there is no reason for more information.
|
|
||
Comment 34•22 years ago
|
||
*** Bug 192986 has been marked as a duplicate of this bug. ***
|
|
||
Comment 35•22 years ago
|
||
*** Bug 185075 has been marked as a duplicate of this bug. ***
|
|
||
Comment 36•22 years ago
|
||
*** Bug 196216 has been marked as a duplicate of this bug. ***
|
|
||
Comment 37•22 years ago
|
||
I dont quite understand what your e-mail is saying exactly. What is it I am
supposed to do with the e-mail since it is new? Please understand I dont know
computers & I kept getting messages I had a bug so I looked you up & from
there........ I was kinda lost. Can you please help me to understand what is
was going on? & what exactly I am supposed to do with the e-mail?
|
||
Updated•20 years ago
|
Product: Browser → Seamonkey
|
||
Comment 38•15 years ago
|
||
VERIFIED Windows NT 5.1; en-US; rv:1.9.1.5pre) Gecko/20091019
Status: RESOLVED → VERIFIED
You need to log in
before you can comment on or make changes to this bug.
Description
•