Last Comment Bug 280664 - Using Flash and the -moz-opacity filter you can get access to about:config and make the user silently change values [secunia http://secunia.com/advisories/14160/ moderately critcial ]
: Using Flash and the -moz-opacity filter you can get access to about:config an...
Status: VERIFIED FIXED
[sg:fix]
: fixed-aviary1.0.1, fixed1.4.5, fixed1.7.6
Product: Core
Classification: Components
Component: Plug-ins (show other bugs)
: Trunk
: x86 Windows XP
: -- normal (vote)
: ---
Assigned To: Johnny Stenback (:jst, jst@mozilla.com)
:
Mentors:
http://www.mikx.de/fireflashing/
Depends on: 284963
Blocks: sbb+ sg-ff101 sg-moz176
  Show dependency treegraph
 
Reported: 2005-02-01 08:05 PST by Michael Krax
Modified: 2007-04-01 14:32 PDT (History)
9 users (show)
chofmann: blocking1.7.6+
chofmann: blocking‑aviary1.0.1+
chofmann: blocking1.8b+
bob: in‑testsuite?
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
Do security checks when loading URIs from any plugin (1.39 KB, patch)
2005-02-02 14:19 PST, Johnny Stenback (:jst, jst@mozilla.com)
no flags Details | Diff | Review
Do security checks when loading URIs from any plugin (2.34 KB, patch)
2005-02-03 14:57 PST, Johnny Stenback (:jst, jst@mozilla.com)
dveditz: review+
brendan: superreview+
dveditz: approval‑aviary1.0.1+
dveditz: approval1.7.6+
Details | Diff | Review

Description Michael Krax 2005-02-01 08:05:17 PST
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.5) Gecko/20041107 Firefox/1.0
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.5) Gecko/20041107 Firefox/1.0

Using Flash and the -moz-opacity filter it is possible to display the
about:config site in a hidden frame.

By making the user double-click at a specific screen position (e.g. using a
DHTML game) you can toggle the status of boolean config parameters.

As long as the number of about:config parameters is unchanged (unlikly a casual
user will change them) you can move the parameter you want to change to the
specified screen position by using CSS (change the .hideframe class). 

Reproducible: Always

Steps to Reproduce:
1. Open http://www.mikx.de/fireflashing/
2. Open example link (make sure Flash 7 is installed)
3. Double click inside the red box

Actual Results:  
You can silently toggle any boolean config parameter

Expected Results:  
Security manager should prevent that a plugin can open about:config or file:///
links

This bug also affects Mozilla 1.7.5 and Netscape 7.1, but Mozilla raises a
dialog instead of toggeling a boolean value and Netscape does not support the
-moz-opacity filter.
Comment 1 Michael Krax 2005-02-01 09:41:59 PST
Oh, and please don't blame flash only. You can also load about:config using the
real player plugin and merged url events. See
http://service.real.com/help/library/guides/producerpro/htmfiles/command.htm for
details and merge a command like:

u 0:0:0:0.0 0:0:0:30.0 &&targetframe&&about:config 

Comment 2 Daniel Veditz [:dveditz] 2005-02-01 11:52:23 PST
This is core code somewhere, guessing plugins (non-plugin attempts to get
about:config loaded fail as they should). Is it as simple as a missing CheckLoadURI?
Comment 3 Daniel Veditz [:dveditz] 2005-02-01 12:08:08 PST
We *have* the security checks, but only do them for OJI (java) plugins? The
checks were added with bug 59767, the rationale for skipping other plugins
appears to be https://bugzilla.mozilla.org/show_bug.cgi?id=59767#c21 (only
file:// urls were considered).

Johnny, do you see any ill effects from doing the checks for all plugins?
Comment 4 Johnny Stenback (:jst, jst@mozilla.com) 2005-02-02 14:12:32 PST
Sounds to me like the checks were left out for non-java plugins not because
they'd harm anything, but because we thought they weren't needed. That doesn't
mean this won't break sites, but I can't think of any sites that it really would
break. I'd be fine with doing the checks for all plugins, and in fact, this bug
is already at least partly fixed on the trunk since there we do security checks
when trying to load content into frames, and those checks block this testcases
from working.

I'll write a patch that takes out the java check.
Comment 5 Johnny Stenback (:jst, jst@mozilla.com) 2005-02-02 14:19:32 PST
Created attachment 173211 [details] [diff] [review]
Do security checks when loading URIs from any plugin
Comment 6 Daniel Veditz [:dveditz] 2005-02-02 14:29:02 PST
Comment on attachment 173211 [details] [diff] [review]
Do security checks when loading URIs from any plugin

r=dveditz, but don't we need to do the same thing down in
nsPluginHostImpl::PostURL ?
Comment 7 Ben Bucksch (:BenB) 2005-02-03 08:53:46 PST
Published on public website, leaked to press, they want to report and asked me
for a statement. Can I open the bug? Same for bug 280056 and bug 279945.
Comment 8 Ben Bucksch (:BenB) 2005-02-03 09:01:44 PST
Actually, it's pretty pointless to hide a bug when it's on a public website.
opening.
Comment 9 Daniel Veditz [:dveditz] 2005-02-03 11:11:36 PST
Comment on attachment 173211 [details] [diff] [review]
Do security checks when loading URIs from any plugin

taking back my r= pending an answer to my question about PostURL in comment 6
Comment 10 Johnny Stenback (:jst, jst@mozilla.com) 2005-02-03 14:55:55 PST
Comment on attachment 173211 [details] [diff] [review]
Do security checks when loading URIs from any plugin

Duh, yeah, same change needed there too. New patch coming...
Comment 11 Johnny Stenback (:jst, jst@mozilla.com) 2005-02-03 14:57:48 PST
Created attachment 173316 [details] [diff] [review]
Do security checks when loading URIs from any plugin
Comment 12 Daniel Veditz [:dveditz] 2005-02-03 18:16:20 PST
Comment on attachment 173316 [details] [diff] [review]
Do security checks when loading URIs from any plugin

Great, thanks! r=dveditz
Comment 13 Brendan Eich [:brendan] 2005-02-03 18:37:50 PST
Comment on attachment 173316 [details] [diff] [review]
Do security checks when loading URIs from any plugin

sr=me.

/be
Comment 14 Johnny Stenback (:jst, jst@mozilla.com) 2005-02-04 08:56:07 PST
Fix landed on the trunk.
Comment 15 Michael Krax 2005-02-07 06:47:57 PST
Since the bug is fixed i will make it public tonight. Just to let you now
beforehand.
Comment 16 Ben Bucksch (:BenB) 2005-02-07 15:35:31 PST
Unhiding <http://www.heise.de/newsticker/meldung/56140>
Comment 17 Wolfgang Rosenauer [:wolfiR] 2005-02-09 04:10:01 PST
the patch is approved for 1.7.6 and 1.0.1. 
Anyone going to check it in please? (in case is has been checked in already
please update the keywords)
Comment 18 Daniel Veditz [:dveditz] 2005-02-11 00:58:04 PST
Checked into 1.7 and aviary1.0.1 branches
Comment 19 Juha-Matti Laurio 2005-02-18 15:13:55 PST
This was (is) assigned as Secunia ID 14160;

http://secunia.com/advisories/14160/
(Mozilla / Firefox Three Vulnerabilities)

marked as "The vulnerabilities have been fixed in the CVS repository" on 8th
February, 2005.
Comment 20 Jay Patel [:jay] 2005-02-22 14:14:23 PST
Verified Fixed everywhere with 2/21 builds (Aviary 1.0.1, Mozilla 1.7.6, and
both Trunks).  Testcase no longer opens the about:config with Flash.
Comment 21 Daniel Veditz [:dveditz] 2005-04-19 12:11:37 PDT
awarded a bug bounty

Note You need to log in before you can comment on or make changes to this bug.