Closed
Bug 290037
Opened 19 years ago
Closed 19 years ago
Search plugins can get javascript access to currently active tab
Categories
(SeaMonkey :: Search, defect)
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: mikx, Assigned: dveditz)
References
()
Details
(Keywords: fixed-aviary1.0.3, fixed1.7.7, Whiteboard: [sg:fix])
Attachments
(1 file)
|
1.34 KB,
patch
|
bugs
:
review+
dbaron
:
superreview+
chase
:
approval-aviary1.0.3+
chase
:
approval1.7.7+
asa
:
approval1.8b2+
|
Details | Diff | Splinter Review |
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.7) Gecko/20050408 Firefox/1.0.3 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.7) Gecko/20050408 Firefox/1.0.3 By creating a special sherlock file it is possible to run javascript code in the security context of the currently active tab. This allows to create search engines that silently monitor all website displayed while searching (e.g. to steal sessions cookies) and/or that wait for a privileged page (e.g. chrome or about:config) to run arbitrary code. Reproducible: Always Steps to Reproduce: 1. Open http://bugzilla:Je5Zw8k@www.mikx.de/firesearching/ 2. Follow instructions The demo adds a new search engine (called Firesearching) by calling sidebar.addSearchEngine() that behaves like a normal Google search. When searching with that engine an alert shows that the engine has javascript access to the currently active tab. An attacker could silently send the information to another host instead. When the currently displayed site is privileged (chrome or about:config) the demo requests UniversalXPConnect rights, creates c:\booom.bat and launches the batch file (shows a directoy listing in a dos box). This part is Windows only, which is a limitation of the demo - the bug affects all platforms.
|
Assignee | |
Updated•19 years ago
|
Assignee: p_ch → dveditz
Status: UNCONFIRMED → NEW
Ever confirmed: true
Flags: blocking-aviary1.1+
Flags: blocking-aviary1.0.3+
Product: Firefox → Core
Whiteboard: [sg:fix]
Version: unspecified → 1.7 Branch
|
|
Assignee | |
Comment 1•19 years ago
|
||
Attachment #180510 -
Flags: superreview?(dbaron)
Attachment #180510 -
Flags: review?(beng)
Attachment #180510 -
Flags: approval1.8b2?
Attachment #180510 -
Flags: approval1.7.7?
Attachment #180510 -
Flags: approval-aviary1.0.3?
|
||
Comment 2•19 years ago
|
||
Comment on attachment 180510 [details] [diff] [review] search only intended to supports http -- make it so r=ben@mozilla.org
Attachment #180510 -
Flags: review?(beng) → review+
|
||
Comment 3•19 years ago
|
||
Comment on attachment 180510 [details] [diff] [review] search only intended to supports http -- make it so a=asa
Attachment #180510 -
Flags: approval1.8b2? → approval1.8b2+
|
||
Comment 4•19 years ago
|
||
Comment on attachment 180510 [details] [diff] [review] search only intended to supports http -- make it so a=chase for branches
Attachment #180510 -
Flags: approval1.7.7?
Attachment #180510 -
Flags: approval1.7.7+
Attachment #180510 -
Flags: approval-aviary1.0.3?
Attachment #180510 -
Flags: approval-aviary1.0.3+
Attachment #180510 -
Flags: superreview?(dbaron) → superreview+
I'm not sure what "only HTTP" (vs., say, gopher or FTP) really means, but if you think that's the right thing, sr=dbaron.
|
|
Assignee | |
Comment 7•19 years ago
|
||
Fix checked in to trunk plus 1.7 and aviary branches
Keywords: fixed-aviary1.0.3,
fixed1.7.7
|
|
Assignee | |
Comment 9•19 years ago
|
||
Fix landed on trunk Apr 12 (see comment 7). FIXED.
Status: NEW → RESOLVED
Closed: 19 years ago
Resolution: --- → FIXED
|
||
Comment 10•19 years ago
|
||
This is SA14938's vulnerability #5; http://secunia.com/advisories/14938/ and CAN-2005-1156 available at http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1156 .
|
||
Comment 11•19 years ago
|
||
(In reply to comment #0) > User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.7) Gecko/20050408 Firefox/1.0.3 > Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.7) Gecko/20050408 Firefox/1.0.3 > > By creating a special sherlock file it is possible to run javascript code in the > security context of the currently active tab. This allows to create search > engines that silently monitor all website displayed while searching (e.g. to > steal sessions cookies) and/or that wait for a privileged page (e.g. chrome or > about:config) to run arbitrary code. > > > Reproducible: Always > > Steps to Reproduce: > 1. Open http://bugzilla:Je5Zw8k@www.mikx.de/firesearching/ > 2. Follow instructions > > > > The demo adds a new search engine (called Firesearching) by calling > sidebar.addSearchEngine() that behaves like a normal Google search. When > searching with that engine an alert shows that the engine has javascript access > to the currently active tab. An attacker could silently send the information to > another host instead. > > When the currently displayed site is privileged (chrome or about:config) the > demo requests UniversalXPConnect rights, creates c:\booom.bat and launches the > batch file (shows a directoy listing in a dos box). This part is Windows only, > which is a limitation of the demo - the bug affects all platforms. Hi Michael, Would you please compose a new test case for mozilla? With this case you provided here I can't reproduce this bug on mozilla/linux while the os of this bug is set to all. Please send it to tim.miao@sun.com. Thanks.
|
||
Comment 12•19 years ago
|
||
Tim, this case does work on Mozilla Suite.
|
||
Updated•19 years ago
|
Flags: testcase+
|
|
||
Updated•17 years ago
|
Flags: in-testsuite+ → in-testsuite?
|
||
Updated•16 years ago
|
Product: Core → SeaMonkey
You need to log in
before you can comment on or make changes to this bug.
Description
•