Search plugins can get javascript access to currently active tab

RESOLVED FIXED

Status

SeaMonkey
Search
RESOLVED FIXED
13 years ago
9 years ago

People

(Reporter: Michael Krax, Assigned: dveditz)

Tracking

({fixed-aviary1.0.3, fixed1.7.7})

1.7 Branch
fixed-aviary1.0.3, fixed1.7.7
Dependency tree / graph
Bug Flags:
blocking1.7.7 +
blocking-aviary1.0.3 +
blocking-aviary1.5 +
in-testsuite ?

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [sg:fix], URL)

Attachments

(1 attachment)

1.34 KB, patch
Ben Goodger (use ben at mozilla dot org for email)
: review+
dbaron
: superreview+
Chase Phillips
: approval-aviary1.0.3+
Chase Phillips
: approval1.7.7+
Details | Diff | Splinter Review
(Reporter)

Description

13 years ago
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.7) Gecko/20050408 Firefox/1.0.3
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.7) Gecko/20050408 Firefox/1.0.3

By creating a special sherlock file it is possible to run javascript code in the
security context of the currently active tab. This allows to create search
engines that silently monitor all website displayed while searching (e.g. to
steal sessions cookies) and/or that wait for a privileged page (e.g. chrome or
about:config) to run arbitrary code.  


Reproducible: Always

Steps to Reproduce:
1. Open http://bugzilla:Je5Zw8k@www.mikx.de/firesearching/
2. Follow instructions



The demo adds a new search engine (called Firesearching) by calling
sidebar.addSearchEngine() that behaves like a normal Google search. When
searching with that engine an alert shows that the engine has javascript access
to the currently active tab. An attacker could silently send the information to
another host instead. 

When the currently displayed site is privileged (chrome or about:config) the
demo requests UniversalXPConnect rights, creates c:\booom.bat and launches the
batch file (shows a directoy listing in a dos box). This part is Windows only,
which is a limitation of the demo - the bug affects all platforms.
(Assignee)

Updated

13 years ago
Assignee: p_ch → dveditz
Status: UNCONFIRMED → NEW
Component: Search → Search
Ever confirmed: true
Flags: blocking-aviary1.1+
Flags: blocking-aviary1.0.3+
Product: Firefox → Core
Whiteboard: [sg:fix]
Version: unspecified → 1.7 Branch
(Assignee)

Comment 1

13 years ago
Created attachment 180510 [details] [diff] [review]
search only intended to supports http -- make it so
Attachment #180510 - Flags: superreview?(dbaron)
Attachment #180510 - Flags: review?(beng)
Attachment #180510 - Flags: approval1.8b2?
Attachment #180510 - Flags: approval1.7.7?
Attachment #180510 - Flags: approval-aviary1.0.3?
Comment on attachment 180510 [details] [diff] [review]
search only intended to supports http -- make it so

r=ben@mozilla.org
Attachment #180510 - Flags: review?(beng) → review+

Comment 3

13 years ago
Comment on attachment 180510 [details] [diff] [review]
search only intended to supports http -- make it so

a=asa
Attachment #180510 - Flags: approval1.8b2? → approval1.8b2+

Comment 4

13 years ago
Comment on attachment 180510 [details] [diff] [review]
search only intended to supports http -- make it so

a=chase for branches
Attachment #180510 - Flags: approval1.7.7?
Attachment #180510 - Flags: approval1.7.7+
Attachment #180510 - Flags: approval-aviary1.0.3?
Attachment #180510 - Flags: approval-aviary1.0.3+

Comment 5

13 years ago
blocking1.7.7+
Flags: blocking1.7.7+
Attachment #180510 - Flags: superreview?(dbaron) → superreview+
I'm not sure what "only HTTP" (vs., say, gopher or FTP) really means, but if you
think that's the right thing, sr=dbaron.
(Assignee)

Comment 7

13 years ago
Fix checked in to trunk plus 1.7 and aviary branches
Keywords: fixed-aviary1.0.3, fixed1.7.7
(Assignee)

Comment 8

13 years ago
Fix released
Group: security
(Assignee)

Comment 9

13 years ago
Fix landed on trunk Apr 12 (see comment 7). FIXED.
Status: NEW → RESOLVED
Last Resolved: 13 years ago
Resolution: --- → FIXED

Comment 10

13 years ago
This is SA14938's vulnerability #5; http://secunia.com/advisories/14938/ and
CAN-2005-1156 available at
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1156 .

Comment 11

13 years ago
(In reply to comment #0)
> User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.7)
Gecko/20050408 Firefox/1.0.3
> Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.7)
Gecko/20050408 Firefox/1.0.3
> 
> By creating a special sherlock file it is possible to run javascript code in the
> security context of the currently active tab. This allows to create search
> engines that silently monitor all website displayed while searching (e.g. to
> steal sessions cookies) and/or that wait for a privileged page (e.g. chrome or
> about:config) to run arbitrary code.  
> 
> 
> Reproducible: Always
> 
> Steps to Reproduce:
> 1. Open http://bugzilla:Je5Zw8k@www.mikx.de/firesearching/
> 2. Follow instructions
> 
> 
> 
> The demo adds a new search engine (called Firesearching) by calling
> sidebar.addSearchEngine() that behaves like a normal Google search. When
> searching with that engine an alert shows that the engine has javascript access
> to the currently active tab. An attacker could silently send the information to
> another host instead. 
> 
> When the currently displayed site is privileged (chrome or about:config) the
> demo requests UniversalXPConnect rights, creates c:\booom.bat and launches the
> batch file (shows a directoy listing in a dos box). This part is Windows only,
> which is a limitation of the demo - the bug affects all platforms.

Hi Michael,

Would you please compose a new test case for mozilla? With this case you
provided here I can't reproduce this bug on mozilla/linux while the os of this
bug is set to all. Please send it to tim.miao@sun.com.
Thanks.

Comment 12

13 years ago
Tim, this case does work on Mozilla Suite.

Updated

12 years ago
Blocks: 295018
(Assignee)

Updated

12 years ago
Blocks: 256197

Updated

12 years ago
Flags: testcase+

Updated

11 years ago
Flags: in-testsuite+ → in-testsuite?
Product: Core → SeaMonkey
You need to log in before you can comment on or make changes to this bug.