Last Comment Bug 273699 - (sa13129) 2 Frame Injection Vulnerabilities (popup blocking race condition & onunload event mis-firing) [Secunia Advisory SA13129 moderately critical]
(sa13129)
: 2 Frame Injection Vulnerabilities (popup blocking race condition & onunload e...
Status: VERIFIED FIXED
[sg:fix] see bug 103638
: fixed-aviary1.0.1, fixed1.7.6
Product: Core
Classification: Components
Component: Security (show other bugs)
: Trunk
: All All
: -- critical with 8 votes (vote)
: ---
Assigned To: Daniel Veditz [:dveditz]
:
Mentors:
http://secunia.com/advisories/13129/
: 273848 273870 274835 277114 (view as bug list)
Depends on: 103638
Blocks: sg-ff101 sg-moz176
  Show dependency treegraph
 
Reported: 2004-12-08 03:24 PST by Daniel Wang
Modified: 2014-04-26 03:29 PDT (History)
47 users (show)
chofmann: blocking1.7.5+
dveditz: blocking1.7.6+
dveditz: blocking‑aviary1.0.1+
dveditz: blocking1.8a6+
bzbarsky: in‑testsuite+
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
testcase 1 - Time-Delayed Popup Replacing Frame of a Different Site (Race Condition) (604 bytes, text/html)
2004-12-08 03:45 PST, Daniel Wang
no flags Details
testcase 2 - Event Misfiring (a window can replace another window with the same name) (601 bytes, text/html)
2004-12-08 04:04 PST, Daniel Wang
no flags Details

Description Daniel Wang 2004-12-08 03:24:03 PST
Secunia has reported there is frame injection vulnerability in Mozilla
The test is a bit confusing, so here's the steps to reproduce (tested in Firefox
1.0)

First test (w/ popup blocking)
1. enable popup blocker
2. open www.citibank.com/us/index.htm in one tab
3. open secunia.com/multiple_browsers_window_injection_vulnerability_test/
   in another tab
4. in vulnerability test page, click
    "Test Now - With Pop-up Blocker - Left Click On This Link"
5. close the new CitiBank window that opens
6  returns to the CitiBlank tab, and click
    [(!)Consumer Alert]

2nd test (w/o pop-up blocking)
1. disable popup blocker
2. close the vulnerability test page if you had it opened
3. open
   secunia.com/multiple_browsers_window_injection_vulnerability_test/
4. click
   "Test Now - Without Pop-up Blocker - Left Click On This Link"
5. in the CitiBlank window, click
   [(!)Consumer Alert]

Results: CitiBank's popup gets replaced by Secunia content
Comment 1 Daniel Wang 2004-12-08 03:45:56 PST
Created attachment 168202 [details]
testcase 1 - Time-Delayed Popup Replacing Frame of a Different Site (Race Condition)

Vulnerability 1 - Popup Racing

When popup blocking is enabled, time-delayed popup (via setTimeout) can replace
another popup opened by another site. This requires that
1. both sites attempt to open popups with the same name
2. the legit, 2nd popup is opened before the first one is detected
   (and hence blocked)
Comment 2 Daniel Wang 2004-12-08 04:04:17 PST
Created attachment 168203 [details]
testcase 2 - Event Misfiring  (a window can replace another window with the same name)

Vulnerability 2 - Event Misfiring

Opening a named popup causes unonload event of another frame with the same name
to fire, enabling it to replace the content of another popup.
Comment 3 Daniel Wang 2004-12-08 06:40:15 PST
workaround fix for Firefox/Mozilla users added:
http://mozillanews.org/?article_date=2004-12-08+06-48-46
Comment 4 Juha-Matti Laurio 2004-12-08 13:41:38 PST
This workaround enables Address Bar visible in opened window generated by for
example Secunia's test page (and a fictional malicious Web site).
When dom.disable_window_open_feature.location is set to 'true', the real address
http://secunia.com/ resultpage / [broken with spaces] is showing.
Comment 5 sadlittleboy 2004-12-08 21:50:15 PST
Additional workaround is to install the Tabbrowser Extensions, and configure it
to open popups in new tabs.   This has been tested to block the sample code from
Secunia.
Comment 6 qazwsxedc 2004-12-08 21:53:23 PST
Test case 1 above is invalid and the workaround published elsewhere does not
appear to work.  The test case does not work in the same way as
http://secunia.com/multiple_browsers_window_injection_vulnerability_test/

To demonstrate, set the dom.disable_window_open_feature.location to 'true', then
try test case 1 above.  You'll get the genuine Citibank content in the popup
window, and the popup does not show any location bar.

Then go to http://secunia.com/multiple_browsers_window_injection_vulnerability_test/
and try Step 2 - With Popup Blocker.  You'll get the spoofed content this time
and the popup still does not show any location bar.

This is using Firefox 1.0 on WinNT4 SP6a.
Comment 7 Nelson Menezes 2004-12-09 01:58:03 PST
It looks like this is JS-specific, and it affects Firefox. Shouldn't the
"product" be changed to whatever compenent deals with JS? Or to Firefox.
Comment 8 OstGote! 2004-12-09 02:34:34 PST
moving to Security General until further notice
Comment 9 Hugues Fournier (french l10n team) 2004-12-09 03:11:18 PST
Another workaround is to set the old abandoned prefs
browser.block.target_new_window to true, that opens the link in the current
frame/window if the target is unknown/new.
Comment 10 Kevin Brosnan 2004-12-09 04:27:18 PST
*** Bug 273870 has been marked as a duplicate of this bug. ***
Comment 11 Daniel Veditz [:dveditz] 2004-12-09 07:35:51 PST
*** Bug 273848 has been marked as a duplicate of this bug. ***
Comment 12 Boris Zbarsky [:bz] (Out June 25-July 6) 2004-12-09 08:14:45 PST
Note that we have existing bugs on mistargeting, especially across windows and
across security contexts.  So this is a duplicate.
Comment 13 basic 2004-12-09 08:30:02 PST
playing with testcase 2 abit, I found that it is only triggered when the
original page is not in a background tab, if it was, the tab is closed and a new
window is created. This isn't really new imho.
Comment 14 Boris Zbarsky [:bz] (Out June 25-July 6) 2004-12-09 10:13:23 PST
One other note.  We have code in docshell that protects against this very
exploit (to test that, replace window.open with <a target="">).  The problem is
that window.open() doesn't use the same target-finder as docshell does.

So chances are, fixing bug 103638 will fix this too.
Comment 15 Dan M 2004-12-13 08:32:52 PST
Comment on attachment 168202 [details]
testcase 1 - Time-Delayed Popup Replacing Frame of a Different Site (Race Condition)

This test (and Secunia's test page) no longer demonstrate any problem because
Citibank's site is no longer usable as an example of this bug. The next
testcase should perhaps not rely on a bank to help demonstrate a spoofing
vulnerability.
Comment 16 OstGote! 2004-12-14 02:42:15 PST
(In reply to comment #15)
> (From update of attachment 168202 [details] [edit])
> This test (and Secunia's test page) no longer demonstrate any problem because
> Citibank's site is no longer usable as an example of this bug. 

Secunia has updated their test page at
http://secunia.com/multiple_browsers_window_injection_vulnerability_test/
they use now usatoday.com.

only as note: 

Opera 7.54u1 has partly fixed the issue, see
http://www.opera.com/support/search/supsearch.dml?index=782 and
http://secunia.com/advisories/13253/.

Konqueror/KDE 3.2.3 and 3.3.2 have fixed the issue, see
http://www.kde.org/info/security/advisory-20041213-1.txt and
http://secunia.com/advisories/13254/.

Comment 17 Steffen Wilberg 2004-12-14 02:54:54 PST
This only works if I deselect the "force links that open new windows to open in"
checkbox in Firefox's Options->Advanced->Tabbed Browsing (pref
"browser.link.open_newwindow" set to 2, which is the default).
Comment 18 Kelson 2004-12-15 20:12:04 PST
(In reply to comment #17)
> This only works if I deselect the "force links that open new windows to open in"
> checkbox in Firefox's Options->Advanced->Tabbed Browsing (pref
> "browser.link.open_newwindow" set to 2, which is the default).

I do not see this preference in FF 1.0 on Linux.  Furthermore, I have just
verified that the testcase works with a fresh profile -- in other words, all
defaults.

Let's not discount this.
Comment 19 Daniel Veditz [:dveditz] 2004-12-15 20:48:00 PST
We're not discounting this spoof, work is progressing in bug 103638 (see
"depends on" list above) that's intended to fix it.
Comment 20 basic 2004-12-15 22:05:27 PST
is there a bug on the popup race condition in testcase 1?
Comment 21 Phil Ringnalda (:philor) 2004-12-22 17:55:56 PST
*** Bug 274835 has been marked as a duplicate of this bug. ***
Comment 22 Daniel Veditz [:dveditz] 2005-01-05 00:11:56 PST
Yes, this should block 1.8a6
Comment 23 Wilfried Goesgens 2005-01-05 09:48:25 PST
*** Bug 277114 has been marked as a duplicate of this bug. ***
Comment 24 Johnny Stenback (:jst, jst@mozilla.com) 2005-01-10 13:19:56 PST
For the record (and as mentioned in comment 19), the fix for this bug is in bug
103638.
Comment 25 Asa Dotzler [:asa] 2005-01-11 11:57:13 PST
Bug 103638 has landed so I'm resolving this as fixed per JST's comment #24.
Comment 26 Daniel Veditz [:dveditz] 2005-02-02 14:10:27 PST
Drivers would like this on the branches (plus fixes for regressions caused by
103638)
Comment 27 Daniel Veditz [:dveditz] 2005-02-15 14:29:03 PST
jst checked bug 103638 and regression fixes into the aviary branch
Comment 28 Johnny Stenback (:jst, jst@mozilla.com) 2005-02-16 11:12:00 PST
Fixed for 1.7.6 too.
Comment 29 Jay Patel [:jay] 2005-02-22 18:44:06 PST
Verified Fixed with latest Aviary 1.0.1 and Mozilla 1.7.6 builds.  Also looks
good on the Trunk.  No bad things happening with the USA Today Secunia testcase
and with "dom.disable_window_open_feature.location" set to true, I see the
expected url.

However, with popup blocker enabled, Firefox notifies me that there are a bunch
of windows being blocked from secunia (http://secunia.com/resultpage/).  But I
guess that means this fix is working.  With popup blocker disabled, everything
works fine.
Comment 30 perfectp 2005-06-23 23:08:41 PDT
This is NOT FIXED as of 23-JUNE-2005, Mozilla 1.7.8.  Using the page at
secunia.com to check this vulnerability the Secunia site was able to inject
their frame into an msdn framed page.

Test page: http://secunia.com/multiple_browsers_frame_injection_vulnerability_test/

Now using Secunia is demonstrating the frame injection using Microsoft msdn, not
USAtoday or citibank.  
Comment 31 Curtis Magyar 2005-06-24 00:08:24 PDT
Re #30:

Works in Deerpark as well, only with new window though.

With "Force links that open new windows to open in" selected, and a "a new tab",
it the injection opens a new tab.
Comment 32 Boris Zbarsky [:bz] (Out June 25-July 6) 2005-07-01 19:35:02 PDT
That sounds like bug 296850 (regression, fixed on current branches).
Comment 33 Boris Zbarsky [:bz] (Out June 25-July 6) 2008-01-27 14:09:54 PST
Test for this got added in bug 408052.

Note You need to log in before you can comment on or make changes to this bug.