Closed Bug 278809 Opened 20 years ago Closed 20 years ago

White-list check bypassed dragging a XPI link out of the browser window and dropping it back on the window (single gesture)

Categories

(Core Graveyard :: Installer: XPInstall Engine, defect)

Product:
Core Graveyard
Component:
Installer: XPInstall Engine
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED WONTFIX

People

(Reporter: ma1, Unassigned)

References

(
URL
)

Details

(Whiteboard: [sg:nse]) 

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; it-IT; rv:1.8b) Gecko/20050117 Firefox/1.0+
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; it-IT; rv:1.8b) Gecko/20050117 Firefox/1.0+

If you click on a XPI link on a non-whitelisted site, Firefox refuse to begin
the installation and shows an explanatory message on top of the content window.
But if you drag the same link out of the content window and immediately drop it
back on a browser window, the installation takes place exactly as the link came
from the local realm (that is probably how the browser sees it, being dropped
from outside). Problem is, the XPI file never actually landed on the user HD (it
is not really local), and the described gesture could be unintentional (while
saving a file on my hard disk and then dragging on the browser window is more
likely a conscius behaviour). 
Notice that this is reproducible only on Firefox, because SeaMonkey seems to
ignore white-list anyway.
I don't see how this could be remotely exploitable.
But neverheless I'm marking it as security/confidential, just in case the DOM
has some new unrestricted (and very dangerous) drag'n'drop capability I'm not
yet aware of.

Reproducible: Always

Steps to Reproduce:
1. Browse http://www.flashgot.net/getit (or another non-whitelisted site
containing an XPI)
2. *In a single gesture (not releasing the mouse button)* drag the "Install"
labeled link out of the content window, and then drop it back on the same window.
3. Enjoy the install popup, and possibly go on with FlashGot, it is worth the
install :-)

Actual Results:  
Installation process begun with the alert popup.

Expected Results:  
Firefox should show a message saying software can't be installed from
www.flashgot.net.
This seems OK to me. The real security protection is the install confirmation
dialog, the whitelisting mechanism is just to prevent malicious sites from
abusing people with modal dialogs until they give in and install. In this case
the user has to drag completely outside the content area (not necessarily
outside the window), and that's an action under user control.

Even if a spoofer convinced someone to do it once the confirmation dialog is
very clear and the user can cancel at that point.
Group: security
Status: NEW → RESOLVED
Closed: 20 years ago
Resolution: --- → WONTFIX
Whiteboard: [sg:nse]
Comment 2
the whitelisting mechanism is just to prevent malicious sites from
abusing people with modal dialogs until they give in and install.
---------
This may be the wide case but there has to be some boundary line for web
installations. Once you term it in a whitelisting scheme either the user has to
download it to the HDD and install from it or the site get into the white list.
Allowing some whack gesture to make it install from web should be termed as a bug.
---------
Comment 1
I don't see how this could be remotely exploitable.
---------
True, It's no high risk as it involves user intervention.
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.