Closed Bug 290079 Opened 15 years ago Closed 15 years ago

arbitrary code execution via sidebar (part 2)

Categories

(Firefox :: Security, defect, critical)

defect
Not set
critical

Tracking

()

VERIFIED FIXED

People

(Reporter: u115577, Assigned: mconnor)

References

Details

(Keywords: fixed-aviary1.0.3, testcase, Whiteboard: [sg:fix])

Attachments

(3 files, 1 obsolete file)

Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.8b2) Gecko/20050412
Firefox/1.0+

Sidebar allows an attacker to link to the privileged content (such as
about:config) and run arbitrary code on the content.

If anchor contains target="_search", all security checks are bypassed.
http://lxr.mozilla.org/mozilla/source/browser/base/content/browser.js#4687

Related: Bug 284627

Reproducible: Always

Steps to Reproduce:
1. Click links in order

Actual Results:  
about:plugins is loaded into Sidebar web panel. "browser.startup.homepage" will
be overwritten. Further attacks can be done successfully.

Expected Results:  
Link to the privileged content should be blocked.
Attached file testcase
Flags: blocking-aviary1.1?
Flags: blocking-aviary1.0.3?
I can confirm that the attached test case changes my homepage to mozdev.org.
Status: UNCONFIRMED → NEW
Ever confirmed: true
In Mozilla Suite, the testcase failed to load about:plugins. Expected security
error appears in JavaScript Console. This is a Firefox-specific bug.
Whiteboard: [sg:fix]
Flags: blocking-aviary1.1?
Flags: blocking-aviary1.1+
Flags: blocking-aviary1.0.3?
Flags: blocking-aviary1.0.3+
Blocks: 284577
This is a double-layered fix:

Add the obvious missing security check.
Block javascript: URLs entirely if they target _search.  This is matching
behaviour to IE, and since this is an IE-ism, I feel completely safe in taking
this step.

I will file a followup bug tonight or tomorrow about looking over our web
panels code and better bulletproofing this against future silliness.
Comment on attachment 180532 [details] [diff] [review]
add security check, block javascript: URLs completely (matching IE)

Who should review/superreview this patch?

a=chase pending r/sr
Attachment #180532 - Flags: approval-aviary1.1a?
Attachment #180532 - Flags: approval-aviary1.0.3?
Attachment #180532 - Flags: approval-aviary1.1a?
Attachment #180532 - Flags: approval-aviary1.1a+
Attachment #180532 - Flags: approval-aviary1.0.3?
Attachment #180532 - Flags: approval-aviary1.0.3+
Attachment #180532 - Flags: superreview?(dveditz)
Attachment #180532 - Flags: review?(caillon)
Comment on attachment 180532 [details] [diff] [review]
add security check, block javascript: URLs completely (matching IE)

looks good, but needs data: too.
Attachment #180532 - Flags: superreview?(dveditz) → superreview-
Attachment #180532 - Flags: review?(caillon)
Note that the webSecurityCheck() prevents the opening of chrome, but even
without chrome privs you could load some target site in the sidebar and then
inject script using data: to steal cookies or whatever else might be there.

The testcase is polite about waiting for us to click two links in succession, a
real exploit would simply attack.
mconnor is having issues with cvs and bugzilla access right now, but asked me
to attach this.

r=caillon
a=caillon for aviary 1.0.3 and 1.1a pending sr=
Attachment #180532 - Attachment is obsolete: true
Attachment #180547 - Flags: superreview?(dveditz)
Attachment #180547 - Flags: review+
Attachment #180547 - Flags: approval-aviary1.1a+
Attachment #180547 - Flags: approval-aviary1.0.3+
Comment on attachment 180547 [details] [diff] [review]
Patch also checking data:

sr=dveditz
too bad these aren't uris
Attachment #180547 - Flags: superreview?(dveditz) → superreview+
Commited attachment 180547 [details] [diff] [review] to AVIARY_1_0_1_20050124_BRANCH, 2005-04-12 21:43 PDT.
I'm testing 2005-04-13-00-aviary1.0.1.

"Click Here First" - JavaScript console says "Security Error: Content at
https://bugzilla.mozilla.org/attachment.cgi?id=180506 may not load or link to
about:plugins."

"Next, Click Here" - nothing happens.

data: testcase produced the same results. Looks good.
also looks good (get expected errors) using 2005041301-1.0.3 ffox on linux fc3.
Blocks: sbb?
No longer blocks: 284577
Fix released
Group: security
Don't forget to commit patch on the trunk ;-)
fixed on trunk as of yesterday.
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
Flags: testcase+
Verified fixed using Win FF 1.5.
Status: RESOLVED → VERIFIED
Flags: in-testsuite+ → in-testsuite?
You need to log in before you can comment on or make changes to this bug.