Closed Bug 290079 Opened 15 years ago Closed 15 years ago
arbitrary code execution via sidebar (part 2)
677 bytes, text/html
548 bytes, text/html
4.05 KB, patch
|Details | Diff | Splinter Review|
Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.8b2) Gecko/20050412 Firefox/1.0+ Sidebar allows an attacker to link to the privileged content (such as about:config) and run arbitrary code on the content. If anchor contains target="_search", all security checks are bypassed. http://lxr.mozilla.org/mozilla/source/browser/base/content/browser.js#4687 Related: Bug 284627 Reproducible: Always Steps to Reproduce: 1. Click links in order Actual Results: about:plugins is loaded into Sidebar web panel. "browser.startup.homepage" will be overwritten. Further attacks can be done successfully. Expected Results: Link to the privileged content should be blocked.
I can confirm that the attached test case changes my homepage to mozdev.org.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Attachment #180532 - Flags: superreview?(dveditz) → superreview-
Note that the webSecurityCheck() prevents the opening of chrome, but even without chrome privs you could load some target site in the sidebar and then inject script using data: to steal cookies or whatever else might be there. The testcase is polite about waiting for us to click two links in succession, a real exploit would simply attack.
mconnor is having issues with cvs and bugzilla access right now, but asked me to attach this. r=caillon a=caillon for aviary 1.0.3 and 1.1a pending sr=
15 years ago
Comment on attachment 180547 [details] [diff] [review] Patch also checking data: sr=dveditz too bad these aren't uris
Attachment #180547 - Flags: superreview?(dveditz) → superreview+
Commited attachment 180547 [details] [diff] [review] to AVIARY_1_0_1_20050124_BRANCH, 2005-04-12 21:43 PDT.
also looks good (get expected errors) using 2005041301-1.0.3 ffox on linux fc3.
Don't forget to commit patch on the trunk ;-)
fixed on trunk as of yesterday.
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
Verified fixed using Win FF 1.5.
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.