Closed Bug 290037 Opened 15 years ago Closed 15 years ago

Search plugins can get javascript access to currently active tab

Categories

(SeaMonkey :: Search, defect)

1.7 Branch
defect
Not set

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: mikx, Assigned: dveditz)

References

()

Details

(Keywords: fixed-aviary1.0.3, fixed1.7.7, Whiteboard: [sg:fix])

Attachments

(1 file)

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.7) Gecko/20050408 Firefox/1.0.3
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.7) Gecko/20050408 Firefox/1.0.3

By creating a special sherlock file it is possible to run javascript code in the
security context of the currently active tab. This allows to create search
engines that silently monitor all website displayed while searching (e.g. to
steal sessions cookies) and/or that wait for a privileged page (e.g. chrome or
about:config) to run arbitrary code.  


Reproducible: Always

Steps to Reproduce:
1. Open http://bugzilla:Je5Zw8k@www.mikx.de/firesearching/
2. Follow instructions



The demo adds a new search engine (called Firesearching) by calling
sidebar.addSearchEngine() that behaves like a normal Google search. When
searching with that engine an alert shows that the engine has javascript access
to the currently active tab. An attacker could silently send the information to
another host instead. 

When the currently displayed site is privileged (chrome or about:config) the
demo requests UniversalXPConnect rights, creates c:\booom.bat and launches the
batch file (shows a directoy listing in a dos box). This part is Windows only,
which is a limitation of the demo - the bug affects all platforms.
Assignee: p_ch → dveditz
Status: UNCONFIRMED → NEW
Ever confirmed: true
Flags: blocking-aviary1.1+
Flags: blocking-aviary1.0.3+
Product: Firefox → Core
Whiteboard: [sg:fix]
Version: unspecified → 1.7 Branch
Attachment #180510 - Flags: superreview?(dbaron)
Attachment #180510 - Flags: review?(beng)
Attachment #180510 - Flags: approval1.8b2?
Attachment #180510 - Flags: approval1.7.7?
Attachment #180510 - Flags: approval-aviary1.0.3?
Comment on attachment 180510 [details] [diff] [review]
search only intended to supports http -- make it so

r=ben@mozilla.org
Attachment #180510 - Flags: review?(beng) → review+
Comment on attachment 180510 [details] [diff] [review]
search only intended to supports http -- make it so

a=asa
Attachment #180510 - Flags: approval1.8b2? → approval1.8b2+
Comment on attachment 180510 [details] [diff] [review]
search only intended to supports http -- make it so

a=chase for branches
Attachment #180510 - Flags: approval1.7.7?
Attachment #180510 - Flags: approval1.7.7+
Attachment #180510 - Flags: approval-aviary1.0.3?
Attachment #180510 - Flags: approval-aviary1.0.3+
blocking1.7.7+
Flags: blocking1.7.7+
Attachment #180510 - Flags: superreview?(dbaron) → superreview+
I'm not sure what "only HTTP" (vs., say, gopher or FTP) really means, but if you
think that's the right thing, sr=dbaron.
Fix checked in to trunk plus 1.7 and aviary branches
Fix released
Group: security
Fix landed on trunk Apr 12 (see comment 7). FIXED.
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
(In reply to comment #0)
> User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.7)
Gecko/20050408 Firefox/1.0.3
> Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.7)
Gecko/20050408 Firefox/1.0.3
> 
> By creating a special sherlock file it is possible to run javascript code in the
> security context of the currently active tab. This allows to create search
> engines that silently monitor all website displayed while searching (e.g. to
> steal sessions cookies) and/or that wait for a privileged page (e.g. chrome or
> about:config) to run arbitrary code.  
> 
> 
> Reproducible: Always
> 
> Steps to Reproduce:
> 1. Open http://bugzilla:Je5Zw8k@www.mikx.de/firesearching/
> 2. Follow instructions
> 
> 
> 
> The demo adds a new search engine (called Firesearching) by calling
> sidebar.addSearchEngine() that behaves like a normal Google search. When
> searching with that engine an alert shows that the engine has javascript access
> to the currently active tab. An attacker could silently send the information to
> another host instead. 
> 
> When the currently displayed site is privileged (chrome or about:config) the
> demo requests UniversalXPConnect rights, creates c:\booom.bat and launches the
> batch file (shows a directoy listing in a dos box). This part is Windows only,
> which is a limitation of the demo - the bug affects all platforms.

Hi Michael,

Would you please compose a new test case for mozilla? With this case you
provided here I can't reproduce this bug on mozilla/linux while the os of this
bug is set to all. Please send it to tim.miao@sun.com.
Thanks.
Tim, this case does work on Mozilla Suite.
Blocks: 295018
Blocks: sbb+
Flags: testcase+
Flags: in-testsuite+ → in-testsuite?
Product: Core → SeaMonkey
You need to log in before you can comment on or make changes to this bug.