Closed
Bug 277554
Opened 20 years ago
Closed 5 years ago
Content can be manipulated by another site with a popup window
Categories
(Core :: Security, defect)
Core
Security
Tracking
()
RESOLVED
WONTFIX
People
(Reporter: u115577, Assigned: jst)
Details
(Keywords: sec-other, Whiteboard: [sg:nse?])
Attachments
(1 file)
|
642 bytes,
text/html
|
Details |
With a popup window, you can manipulate the content of linked page. Testcase 1: http://beta51.minutedesign.com/test1.html Linked page is mozilla.org, but immediately replaced to MozillaZine. Testcase 2: http://beta51.minutedesign.com/test2.html Linked page is Yahoo!, but immediately rewritten with a fake content. The certificate is also spoofable.
I reported Bug 277564 about certificate spoofing.
Better testcase http://beta51.minutedesign.com/test1-2.html http://beta51.minutedesign.com/test2-2.html
In function rewrite(), "window.opener.document.URL" - Error: uncaught exception: Permission denied to get property HTMLDocument.URL "window.opener.document.open()" - No error. This should be denied.
testcase 2 from comment 0 and comment 1 lead me to: wyciwyg://10/http://beta51.minutedesign.com/test2.html Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.8a6) Gecko/20041225 Camino/0.8+ please always include a build id if you have one ...
I tested on Firefox nightly build (trunk): Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.8a6) Gecko/20050105 Firefox/1.0+
Simple test case to avoid confusion with Bug 277564 (certificate spoofing)
Attachment 170773 [details] doesn't work...?? Test http://beta51.minutedesign.com/test3.html instead.
|
||
Comment 8•20 years ago
|
||
Leaving aside test2 (better covered in bug 277564), I don't see what the problem is with your original tests? What I see with test1 and 2 (original) is 1) WindowA/SiteA opens PopupB 2) ...user surfs in WindowA to SiteC... 3) PopupB changes content of WindowA 4) Location bar in WindowA reflects the fact that popupB changed it This is something any window can legitimately do to any window it has a reference to. It's unable to access any properties of the other window if it's from a different origin, but it can change it to a different location or write out a new page. In either case the location bar will reflect the new location or the origin of the page doing the writing. [Bug: the original title is not cleared by document.open() although the location bar is updated immediately. Sometimes the title is cleared on the first document.write(), or close() if no writes, though in test3.html the Mozillazine title sticks around. But that's not a big danger, the spoof content could just duplicate the title anyways] The updated testcases are more interesting to me. The onunload property is normally unreachable from the popup; I guess here it's set before the origin changes so it's allowed, but it's hard to believe we're opening up a whole new popup and running its code before the opener's origin has changed. But the timeout *fires* long after the new page has loaded and appears to have access to the new page's DOM. document.location gives me the attack site (beta51.minutedesign.com), but document.links[0] for example has access to the Mozillazine content (assuming I don't call document.open() which does reset things). Hm, document.cookie comes up blank, though, so that looks like the minutedesign.com cookies. A bad state, anyway.
Assignee: dveditz → jst
Status: UNCONFIRMED → NEW
Ever confirmed: true
|
|
||
Comment 9•20 years ago
|
||
The part I'm concerned about might be covered by Johnny's updated patch to address bug 277564.
Whiteboard: [sg:fix]
|
Reporter | |
Comment 10•20 years ago
|
||
My testcase sometimes doesn't work due to a short time to call setTimeout. Save test3 http://beta51.minutedesign.com/test3.html to hard disk and extend setTimeout from 3000 to 10000 or so. 1) WindowA/SiteA opens PopupB 2) ...user surfs in WindowA to SiteC... 3) SiteC is loaded in WindowA (wait for a moment) 4a) PopupB rewrites content of SiteC 4b) PopupB redirects SiteC to SiteD 5) Location bar in WindowA reflects the fact that popupB changed it Patch https://bugzilla.mozilla.org/show_bug.cgi?id=277564#c14 To avoid redirection, this is also needed. -pref("capability.policy.default.Location.replace.get", "allAccess");
|
|
Reporter | |
Comment 11•20 years ago
|
||
Redirection in this case may be allowed... It's my misconception. Problem is content rewriting via document.write().
|
|
||
Comment 12•20 years ago
|
||
I guess I'm not getting the point of what remains of this bug. test3 is not rewriting the content of SiteC, it is opening a new document and writing to it. Setting window.opener.location.href is allowed, why shouldn't writing out a new document be considered the same thing? Given that any spoofing possibility here relies on users not noticing the urlbar (since that's now updated correctly -- thank you for pointing out bug 277564!) then the attacker would have an easier job simply opening a target-spoof right off the initial click, without the possibly attention-grabbing weirdness of the tiny popup and page "refresh" (if you managed to document.write() an exact duplicate).
Whiteboard: [sg:fix] → [sg:nse?]
|
|
||
Comment 13•20 years ago
|
||
Clearing security flag now that case 2 (spun off as bug 277564) has been fixed.
Group: security
|
||
Updated•15 years ago
|
QA Contact: toolkit
|
||
Comment 14•5 years ago
|
||
To fix this would require backwards-incompatible changed to the Web, regrettably. noopener and COOP are what we settled on to allow websites to protect themselves against this type of attack.
Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → WONTFIX
You need to log in
before you can comment on or make changes to this bug.
Description
•