Closed Bug 220257 Opened 21 years ago Closed 21 years ago

Mozilla favors writing/executing on harddisk, using .hta files

Categories

(Core Graveyard :: File Handling, defect)

x86
Windows 2000
defect
Not set
critical

Tracking

(Not tracked)

RESOLVED FIXED
mozilla1.6alpha

People

(Reporter: berndheinze69, Assigned: Biesinger)

Details

(Keywords: fixed1.4.2, fixed1.5, Whiteboard: [sg:fix])

Attachments

(1 file)

User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; de-AT; rv:1.4) Gecko/20030624 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.0; de-AT; rv:1.4) Gecko/20030624 Due to a bug in Internet Explorer .hta files can write and execute files on the harddisk. When Mozilla loads a hta file the first time it asks the user what to do with it, and defaults to run and don't ask again. Most users that don't know what hta is and that don't know about the bug in Internet Explorer will hit OK because they think it's safe. I also thought that Mozilla is safe regarding bugs like this, but a dialer that installed automatically on my system prove me wrong. Reproducible: Always Steps to Reproduce: 1. Create the following file test.hta on your harddisk: <html><head><hta:application id=hta_note_id applicationName=hta_note_name showInTaskBar=no caption=no innerBorder=no selection=no scroll=no contextmenu=no /> <script language=javascript> window.resizeTo(0, 0); window.moveTo(0, 0); </script> </head> <body> <script language=vbscript> h0 = "pause" </script> <script language=javascript> var fs = new ActiveXObject('Scripting.FileSystemObject'); var ts = fs.CreateTextFile("c:\\test.bat", true, false); ts.Write(h0); ts.Close(); var wsh = new ActiveXObject('WScript.Shell'); wsh.Run("c:\\test.bat"); window.close(); </script></body></html> 2. Drag file into Mozilla 3. a) If it's the first time Mozilla loads an application/hta file a windows will pop up what to do, wich defaults to run, and don't ask again. Click OK b) if there is already an entry for application/hta Mozilla do what is speicfied (probably the default setting) 4. Enjoy the message Actual Results: Program on harddisk that can do anything. Delete data, spy out passwords Expected Results: Mozilla should treat application/hta files like .exe files. Don't ask, don't run, just save them on harddisk. The user can run them manually if he really wants to.
ok... taking
Assignee: file.handling → cbiesinger
Status: UNCONFIRMED → NEW
Ever confirmed: true
Attachment #132136 - Flags: superreview?(darin)
Attachment #132136 - Flags: review?(dougt)
Thank you for working so quickly on this bug. I looked at the patch and to me it seemed like it only checkes the file extension. Does that mean that this link still works? http://www.heise.de/security/dienste/browsercheck/demos/ie/htaalert.php This link seems like a (harmless) php-File but is in reality a (harmless) exploit delivered as "application/hta".
No, that doesn't work either. The checked file extension is the final one, which is also .hta in this example.
Status: NEW → ASSIGNED
Target Milestone: --- → mozilla1.6alpha
Comment on attachment 132136 [details] [diff] [review] patch sr=bzbarsky
Attachment #132136 - Flags: superreview?(darin) → superreview+
Attachment #132136 - Flags: review?(dougt) → review+
Checking in nsLocalFileWin.cpp; /cvsroot/mozilla/xpcom/io/nsLocalFileWin.cpp,v <-- nsLocalFileWin.cpp new revision: 1.108; previous revision: 1.107 done
Status: ASSIGNED → RESOLVED
Closed: 21 years ago
Resolution: --- → FIXED
Comment on attachment 132136 [details] [diff] [review] patch would be nice to get this security fix into 1.5 and 1.4.2, too... it just makes it so that .hta files are also considered executable, should be very low risk.
Attachment #132136 - Flags: approval1.5?
Attachment #132136 - Flags: approval1.4.2?
Is it already too late for 1.4.1?
to my knowledge, it is.
Flags: blocking1.5?
Flags: blocking1.4.2?
I think this should get fixed on the 1.4 branch. I'm recommending it for 1.5 also, but I'll let another driver mark the bug blocking1.5. /be
Flags: blocking1.4.2? → blocking1.4.2+
Comment on attachment 132136 [details] [diff] [review] patch a=asa (on behalf of drivers) for checkin to the 1.5 branch.
Attachment #132136 - Flags: approval1.5? → approval1.5+
looks like brendan already checked this into the 1.5 branch
Keywords: fixed1.5
Yes, sorry -- thought I updated this bug (I switched machines and may have left a bugzilla login screen up). /be
Flags: blocking1.5?
Comment on attachment 132136 [details] [diff] [review] patch Please check into the 1.4 branch. /be
Attachment #132136 - Flags: approval1.4.2? → approval1.4.2+
fixed on 1.4 branch Checking in nsLocalFileWin.cpp; /cvsroot/mozilla/xpcom/io/nsLocalFileWin.cpp,v <-- nsLocalFileWin.cpp new revision: 1.102.2.2; previous revision: 1.102.2.1 done
Keywords: fixed1.4
Whiteboard: [sg:fix]
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: