Closed Bug 275441 Opened 20 years ago Closed 19 years ago

File download extension spoofing with Content-Type and .ext<space>.<space> (SA12979 variant)

Categories

(Toolkit :: Downloads API, defect)

x86
Windows XP
defect
Not set
normal

Tracking

()

RESOLVED FIXED

People

(Reporter: dveditz, Assigned: dougt)

References

(Depends on 1 open bug)

Details

(Keywords: fixed-aviary1.0.1, fixed1.7.6, Whiteboard: [sg:fix] ETA 2/11)

Attachments

(1 file)

 
proof of concept attachment 168128 [details] was added to bug 267123 after FF1.0 ship.
Moving to a new bug to prevent confusion. Like bug 267122 and 267123 this uses
our reliance on Content-Type vs. Window's use of file extension to lay mines for
the user to execute later. In this case adding space-dot-space on the end
defeats our fix.
Whiteboard: [sg:fix]
I bet the real problem is that our definition of "extension" doesn't match the Windows 
definition. I recall that we have some code to strip trailing dots somewhere to deal with a 
variant of this attack; perhaps that code needs to be a little more involved?
Depends on: 267123
need to investigate/try for 1.0.1
Flags: blocking-aviary1.0.1?
Flags: blocking-aviary1.0.1? → blocking-aviary1.0.1+
Assignee: bugs → dougt
Whiteboard: [sg:fix] → [sg:fix] ETA 2/11
dan, I have a patch in bug 267828 that will fix this.  
please verify by testing attachment 168128 [details]
Status: NEW → RESOLVED
Closed: 19 years ago
Resolution: --- → FIXED
Reopening.  Testing bug 267828 failed for me and I am still seeing problems on
the Aviary 1.0.1 branch:

Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.6) Gecko/20050221
Firefox/1.0.1

I will attach screenshots of the dialogs I am seeing, the testcases for each are
shown as well.
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Clearing fixed flags, this one isn't. bug 267828 does appear fixed, but
apparently wasn't sufficient to fix this one.
Depends on: 267828
clearing the 1.0.1 flag for this since Firefox 1.0.1 has already shipped. 
Flags: blocking-aviary1.0.1+ → blocking-aviary1.0.2?
not blocking 1.0.3
Flags: blocking-aviary1.0.3? → blocking-aviary1.0.3-
This is fixed. You need to get beyond the screenshot and actually "Open With".
The executable extension is detected (thanks to bug 267828), the
MIME-type-matching extension is added, and the appropriate handler is launched
(e.g. image viewer for .gif and windows media player for .avi). If you "save as"
the MIME-matching extension is added.

In the Mozilla Suite the "open with" happens as described. A "Save As" brings up
a standard filepicker with the .bat extension clearly shown, and that's probably
good enough for the Suite audience.
Status: REOPENED → RESOLVED
Closed: 19 years ago19 years ago
Resolution: --- → FIXED
Flags: testcase+
(In reply to comment #12)
> http://secunia.com/advisories/12979/
> 

Hell is anyone out there. If this is fixed, why does Secunia still mark it as partially fixed. 
(In reply to comment #13)
> (In reply to comment #12)
> > http://secunia.com/advisories/12979/
> > 
> 
> Hell is anyone out there. If this is fixed, why does Secunia still mark it as
> partially fixed. 
> 

Secunia also lists bug 267123 as one of the relevant bugs, hence the "partial fix" status.
Flags: in-testsuite+ → in-testsuite?
Product: Firefox → Toolkit
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: