Last Comment Bug 290079 - arbitrary code execution via sidebar (part 2)
: arbitrary code execution via sidebar (part 2)
Status: VERIFIED FIXED
[sg:fix]
: fixed-aviary1.0.3, testcase
Product: Firefox
Classification: Client Software
Component: Security (show other bugs)
: Trunk
: All All
: -- critical (vote)
: ---
Assigned To: Mike Connor [:mconnor]
:
Mentors:
Depends on:
Blocks: sbb?
  Show dependency treegraph
 
Reported: 2005-04-12 11:46 PDT by bugzilla
Modified: 2011-08-05 21:29 PDT (History)
18 users (show)
dveditz: blocking‑aviary1.0.3+
dveditz: blocking‑aviary1.5+
bob: in‑testsuite?
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
testcase (677 bytes, text/html)
2005-04-12 11:47 PDT, bugzilla
no flags Details
add security check, block javascript: URLs completely (matching IE) (3.02 KB, patch)
2005-04-12 16:58 PDT, Mike Connor [:mconnor]
dveditz: superreview-
chase: approval‑aviary1.0.3+
chase: approval‑aviary1.1a1+
Details | Diff | Review
similar testcase with data: (548 bytes, text/html)
2005-04-12 17:24 PDT, Daniel Veditz [:dveditz]
no flags Details
Patch also checking data: (4.05 KB, patch)
2005-04-12 19:56 PDT, Christopher Aillon (sabbatical, not receiving bugmail)
caillon: review+
dveditz: superreview+
caillon: approval‑aviary1.0.3+
caillon: approval‑aviary1.1a1+
Details | Diff | Review

Description bugzilla 2005-04-12 11:46:03 PDT
Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.8b2) Gecko/20050412
Firefox/1.0+

Sidebar allows an attacker to link to the privileged content (such as
about:config) and run arbitrary code on the content.

If anchor contains target="_search", all security checks are bypassed.
http://lxr.mozilla.org/mozilla/source/browser/base/content/browser.js#4687

Related: Bug 284627

Reproducible: Always

Steps to Reproduce:
1. Click links in order

Actual Results:  
about:plugins is loaded into Sidebar web panel. "browser.startup.homepage" will
be overwritten. Further attacks can be done successfully.

Expected Results:  
Link to the privileged content should be blocked.
Comment 1 bugzilla 2005-04-12 11:47:12 PDT
Created attachment 180506 [details]
testcase
Comment 2 sairuh (rarely reading bugmail) 2005-04-12 12:05:53 PDT
I can confirm that the attached test case changes my homepage to mozdev.org.
Comment 3 bugzilla 2005-04-12 12:13:00 PDT
In Mozilla Suite, the testcase failed to load about:plugins. Expected security
error appears in JavaScript Console. This is a Firefox-specific bug.
Comment 4 Mike Connor [:mconnor] 2005-04-12 16:58:17 PDT
Created attachment 180532 [details] [diff] [review]
add security check, block javascript: URLs completely (matching IE)

This is a double-layered fix:

Add the obvious missing security check.
Block javascript: URLs entirely if they target _search.  This is matching
behaviour to IE, and since this is an IE-ism, I feel completely safe in taking
this step.

I will file a followup bug tonight or tomorrow about looking over our web
panels code and better bulletproofing this against future silliness.
Comment 5 Chase Phillips 2005-04-12 17:10:14 PDT
Comment on attachment 180532 [details] [diff] [review]
add security check, block javascript: URLs completely (matching IE)

Who should review/superreview this patch?

a=chase pending r/sr
Comment 6 Daniel Veditz [:dveditz] 2005-04-12 17:23:47 PDT
Comment on attachment 180532 [details] [diff] [review]
add security check, block javascript: URLs completely (matching IE)

looks good, but needs data: too.
Comment 7 Daniel Veditz [:dveditz] 2005-04-12 17:24:59 PDT
Created attachment 180535 [details]
similar testcase with data:
Comment 8 Daniel Veditz [:dveditz] 2005-04-12 17:42:43 PDT
Note that the webSecurityCheck() prevents the opening of chrome, but even
without chrome privs you could load some target site in the sidebar and then
inject script using data: to steal cookies or whatever else might be there.

The testcase is polite about waiting for us to click two links in succession, a
real exploit would simply attack.
Comment 9 Christopher Aillon (sabbatical, not receiving bugmail) 2005-04-12 19:56:16 PDT
Created attachment 180547 [details] [diff] [review]
Patch also checking data:

mconnor is having issues with cvs and bugzilla access right now, but asked me
to attach this.

r=caillon
a=caillon for aviary 1.0.3 and 1.1a pending sr=
Comment 10 Daniel Veditz [:dveditz] 2005-04-12 21:41:07 PDT
Comment on attachment 180547 [details] [diff] [review]
Patch also checking data:

sr=dveditz
too bad these aren't uris
Comment 11 Christopher Aillon (sabbatical, not receiving bugmail) 2005-04-12 21:47:07 PDT
Commited attachment 180547 [details] [diff] [review] to AVIARY_1_0_1_20050124_BRANCH, 2005-04-12 21:43 PDT.
Comment 12 bugzilla 2005-04-13 09:31:19 PDT
I'm testing 2005-04-13-00-aviary1.0.1.

"Click Here First" - JavaScript console says "Security Error: Content at
https://bugzilla.mozilla.org/attachment.cgi?id=180506 may not load or link to
about:plugins."

"Next, Click Here" - nothing happens.

data: testcase produced the same results. Looks good.
Comment 13 sairuh (rarely reading bugmail) 2005-04-13 09:38:02 PDT
also looks good (get expected errors) using 2005041301-1.0.3 ffox on linux fc3.
Comment 14 Daniel Veditz [:dveditz] 2005-04-15 19:55:31 PDT
Fix released
Comment 15 bugzilla 2005-04-17 01:52:52 PDT
Don't forget to commit patch on the trunk ;-)
Comment 16 Mike Connor [:mconnor] 2005-04-21 04:06:46 PDT
fixed on trunk as of yesterday.
Comment 17 Greg K. 2006-01-30 05:53:20 PST
Verified fixed using Win FF 1.5.

Note You need to log in before you can comment on or make changes to this bug.