Last Comment Bug 290037 - Search plugins can get javascript access to currently active tab
: Search plugins can get javascript access to currently active tab
Status: RESOLVED FIXED
[sg:fix]
: fixed-aviary1.0.3, fixed1.7.7
Product: SeaMonkey
Classification: Client Software
Component: Search (show other bugs)
: 1.7 Branch
: All All
: -- normal (vote)
: ---
Assigned To: Daniel Veditz [:dveditz]
:
Mentors:
http://bugzilla:Je5Zw8k@www.mikx.de/f...
Depends on:
Blocks: sbb+ 295018
  Show dependency treegraph
 
Reported: 2005-04-12 04:46 PDT by Michael Krax
Modified: 2008-07-31 04:30 PDT (History)
2 users (show)
chase: blocking1.7.7+
dveditz: blocking‑aviary1.0.3+
dveditz: blocking‑aviary1.5+
bob: in‑testsuite?
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---


Attachments
search only intended to supports http -- make it so (1.34 KB, patch)
2005-04-12 12:17 PDT, Daniel Veditz [:dveditz]
bugs: review+
dbaron: superreview+
chase: approval‑aviary1.0.3+
chase: approval1.7.7+
asa: approval1.8b2+
Details | Diff | Splinter Review

Description Michael Krax 2005-04-12 04:46:57 PDT
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.7) Gecko/20050408 Firefox/1.0.3
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.7) Gecko/20050408 Firefox/1.0.3

By creating a special sherlock file it is possible to run javascript code in the
security context of the currently active tab. This allows to create search
engines that silently monitor all website displayed while searching (e.g. to
steal sessions cookies) and/or that wait for a privileged page (e.g. chrome or
about:config) to run arbitrary code.  


Reproducible: Always

Steps to Reproduce:
1. Open http://bugzilla:Je5Zw8k@www.mikx.de/firesearching/
2. Follow instructions



The demo adds a new search engine (called Firesearching) by calling
sidebar.addSearchEngine() that behaves like a normal Google search. When
searching with that engine an alert shows that the engine has javascript access
to the currently active tab. An attacker could silently send the information to
another host instead. 

When the currently displayed site is privileged (chrome or about:config) the
demo requests UniversalXPConnect rights, creates c:\booom.bat and launches the
batch file (shows a directoy listing in a dos box). This part is Windows only,
which is a limitation of the demo - the bug affects all platforms.
Comment 1 Daniel Veditz [:dveditz] 2005-04-12 12:17:11 PDT
Created attachment 180510 [details] [diff] [review]
search only intended to supports http -- make it so
Comment 2 Ben Goodger (use ben at mozilla dot org for email) 2005-04-12 12:22:25 PDT
Comment on attachment 180510 [details] [diff] [review]
search only intended to supports http -- make it so

r=ben@mozilla.org
Comment 3 Asa Dotzler [:asa] 2005-04-12 13:17:04 PDT
Comment on attachment 180510 [details] [diff] [review]
search only intended to supports http -- make it so

a=asa
Comment 4 Chase Phillips 2005-04-12 13:21:34 PDT
Comment on attachment 180510 [details] [diff] [review]
search only intended to supports http -- make it so

a=chase for branches
Comment 5 Chase Phillips 2005-04-12 13:21:59 PDT
blocking1.7.7+
Comment 6 David Baron :dbaron: ⌚️UTC-7 (busy September 14-25) 2005-04-12 13:22:47 PDT
I'm not sure what "only HTTP" (vs., say, gopher or FTP) really means, but if you
think that's the right thing, sr=dbaron.
Comment 7 Daniel Veditz [:dveditz] 2005-04-12 17:37:27 PDT
Fix checked in to trunk plus 1.7 and aviary branches
Comment 8 Daniel Veditz [:dveditz] 2005-04-15 19:54:39 PDT
Fix released
Comment 9 Daniel Veditz [:dveditz] 2005-04-17 21:40:18 PDT
Fix landed on trunk Apr 12 (see comment 7). FIXED.
Comment 10 Juha-Matti Laurio 2005-04-22 13:55:41 PDT
This is SA14938's vulnerability #5; http://secunia.com/advisories/14938/ and
CAN-2005-1156 available at
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1156 .
Comment 11 Tim Miao 2005-04-25 20:18:18 PDT
(In reply to comment #0)
> User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.7)
Gecko/20050408 Firefox/1.0.3
> Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.7)
Gecko/20050408 Firefox/1.0.3
> 
> By creating a special sherlock file it is possible to run javascript code in the
> security context of the currently active tab. This allows to create search
> engines that silently monitor all website displayed while searching (e.g. to
> steal sessions cookies) and/or that wait for a privileged page (e.g. chrome or
> about:config) to run arbitrary code.  
> 
> 
> Reproducible: Always
> 
> Steps to Reproduce:
> 1. Open http://bugzilla:Je5Zw8k@www.mikx.de/firesearching/
> 2. Follow instructions
> 
> 
> 
> The demo adds a new search engine (called Firesearching) by calling
> sidebar.addSearchEngine() that behaves like a normal Google search. When
> searching with that engine an alert shows that the engine has javascript access
> to the currently active tab. An attacker could silently send the information to
> another host instead. 
> 
> When the currently displayed site is privileged (chrome or about:config) the
> demo requests UniversalXPConnect rights, creates c:\booom.bat and launches the
> batch file (shows a directoy listing in a dos box). This part is Windows only,
> which is a limitation of the demo - the bug affects all platforms.

Hi Michael,

Would you please compose a new test case for mozilla? With this case you
provided here I can't reproduce this bug on mozilla/linux while the os of this
bug is set to all. Please send it to tim.miao@sun.com.
Thanks.
Comment 12 Ginn Chen 2005-04-26 23:19:08 PDT
Tim, this case does work on Mozilla Suite.

Note You need to log in before you can comment on or make changes to this bug.