The default bug view has changed. See this FAQ.

arbitrary code execution via sidebar (part 2)

VERIFIED FIXED

Status

()

Firefox
Security
--
critical
VERIFIED FIXED
12 years ago
6 years ago

People

(Reporter: bugzilla, Assigned: mconnor)

Tracking

({fixed-aviary1.0.3, testcase})

Trunk
fixed-aviary1.0.3, testcase
Points:
---
Bug Flags:
blocking-aviary1.0.3 +
blocking-aviary1.5 +
in-testsuite ?

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [sg:fix])

Attachments

(3 attachments, 1 obsolete attachment)

677 bytes, text/html
Details
548 bytes, text/html
Details
4.05 KB, patch
Christopher Aillon (sabbatical, not receiving bugmail)
: review+
dveditz
: superreview+
Christopher Aillon (sabbatical, not receiving bugmail)
: approval-aviary1.0.3+
Christopher Aillon (sabbatical, not receiving bugmail)
: approval-aviary1.1a1+
Details | Diff | Splinter Review
(Reporter)

Description

12 years ago
Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.8b2) Gecko/20050412
Firefox/1.0+

Sidebar allows an attacker to link to the privileged content (such as
about:config) and run arbitrary code on the content.

If anchor contains target="_search", all security checks are bypassed.
http://lxr.mozilla.org/mozilla/source/browser/base/content/browser.js#4687

Related: Bug 284627

Reproducible: Always

Steps to Reproduce:
1. Click links in order

Actual Results:  
about:plugins is loaded into Sidebar web panel. "browser.startup.homepage" will
be overwritten. Further attacks can be done successfully.

Expected Results:  
Link to the privileged content should be blocked.
(Reporter)

Comment 1

12 years ago
Created attachment 180506 [details]
testcase
(Reporter)

Updated

12 years ago
Flags: blocking-aviary1.1?
Flags: blocking-aviary1.0.3?
I can confirm that the attached test case changes my homepage to mozdev.org.
Status: UNCONFIRMED → NEW
Ever confirmed: true
(Reporter)

Comment 3

12 years ago
In Mozilla Suite, the testcase failed to load about:plugins. Expected security
error appears in JavaScript Console. This is a Firefox-specific bug.
Whiteboard: [sg:fix]
Flags: blocking-aviary1.1?
Flags: blocking-aviary1.1+
Flags: blocking-aviary1.0.3?
Flags: blocking-aviary1.0.3+
Blocks: 284577
(Assignee)

Comment 4

12 years ago
Created attachment 180532 [details] [diff] [review]
add security check, block javascript: URLs completely (matching IE)

This is a double-layered fix:

Add the obvious missing security check.
Block javascript: URLs entirely if they target _search.  This is matching
behaviour to IE, and since this is an IE-ism, I feel completely safe in taking
this step.

I will file a followup bug tonight or tomorrow about looking over our web
panels code and better bulletproofing this against future silliness.

Comment 5

12 years ago
Comment on attachment 180532 [details] [diff] [review]
add security check, block javascript: URLs completely (matching IE)

Who should review/superreview this patch?

a=chase pending r/sr
Attachment #180532 - Flags: approval-aviary1.1a?
Attachment #180532 - Flags: approval-aviary1.0.3?

Updated

12 years ago
Attachment #180532 - Flags: approval-aviary1.1a?
Attachment #180532 - Flags: approval-aviary1.1a+
Attachment #180532 - Flags: approval-aviary1.0.3?
Attachment #180532 - Flags: approval-aviary1.0.3+

Updated

12 years ago
Attachment #180532 - Flags: superreview?(dveditz)
Attachment #180532 - Flags: review?(caillon)
Comment on attachment 180532 [details] [diff] [review]
add security check, block javascript: URLs completely (matching IE)

looks good, but needs data: too.
Attachment #180532 - Flags: superreview?(dveditz) → superreview-
Created attachment 180535 [details]
similar testcase with data:
(Assignee)

Updated

12 years ago
Attachment #180532 - Flags: review?(caillon)
Note that the webSecurityCheck() prevents the opening of chrome, but even
without chrome privs you could load some target site in the sidebar and then
inject script using data: to steal cookies or whatever else might be there.

The testcase is polite about waiting for us to click two links in succession, a
real exploit would simply attack.
Created attachment 180547 [details] [diff] [review]
Patch also checking data:

mconnor is having issues with cvs and bugzilla access right now, but asked me
to attach this.

r=caillon
a=caillon for aviary 1.0.3 and 1.1a pending sr=
Attachment #180532 - Attachment is obsolete: true
Attachment #180547 - Flags: superreview?(dveditz)
Attachment #180547 - Flags: review+
Attachment #180547 - Flags: approval-aviary1.1a+
Attachment #180547 - Flags: approval-aviary1.0.3+
Comment on attachment 180547 [details] [diff] [review]
Patch also checking data:

sr=dveditz
too bad these aren't uris
Attachment #180547 - Flags: superreview?(dveditz) → superreview+
Commited attachment 180547 [details] [diff] [review] to AVIARY_1_0_1_20050124_BRANCH, 2005-04-12 21:43 PDT.
Keywords: fixed-aviary1.0.3
(Reporter)

Comment 12

12 years ago
I'm testing 2005-04-13-00-aviary1.0.1.

"Click Here First" - JavaScript console says "Security Error: Content at
https://bugzilla.mozilla.org/attachment.cgi?id=180506 may not load or link to
about:plugins."

"Next, Click Here" - nothing happens.

data: testcase produced the same results. Looks good.
also looks good (get expected errors) using 2005041301-1.0.3 ffox on linux fc3.
Blocks: 256195
No longer blocks: 284577
Fix released
Group: security
(Reporter)

Comment 15

12 years ago
Don't forget to commit patch on the trunk ;-)
(Assignee)

Comment 16

12 years ago
fixed on trunk as of yesterday.
Status: NEW → RESOLVED
Last Resolved: 12 years ago
Resolution: --- → FIXED

Updated

11 years ago
Flags: testcase+

Comment 17

11 years ago
Verified fixed using Win FF 1.5.
Status: RESOLVED → VERIFIED

Updated

10 years ago
Flags: in-testsuite+ → in-testsuite?
You need to log in before you can comment on or make changes to this bug.