Closed
Bug 290079
Opened 20 years ago
Closed 20 years ago
arbitrary code execution via sidebar (part 2)
Categories
(Firefox :: Security, defect)
Firefox
Security
Tracking
()
VERIFIED
FIXED
People
(Reporter: u115577, Assigned: mconnor)
References
Details
(Keywords: fixed-aviary1.0.3, testcase, Whiteboard: [sg:fix])
Attachments
(3 files, 1 obsolete file)
677 bytes,
text/html
|
Details | |
548 bytes,
text/html
|
Details | |
4.05 KB,
patch
|
caillon
:
review+
dveditz
:
superreview+
caillon
:
approval-aviary1.0.3+
caillon
:
approval-aviary1.1a1+
|
Details | Diff | Splinter Review |
Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.8b2) Gecko/20050412
Firefox/1.0+
Sidebar allows an attacker to link to the privileged content (such as
about:config) and run arbitrary code on the content.
If anchor contains target="_search", all security checks are bypassed.
http://lxr.mozilla.org/mozilla/source/browser/base/content/browser.js#4687
Related: Bug 284627
Reproducible: Always
Steps to Reproduce:
1. Click links in order
Actual Results:
about:plugins is loaded into Sidebar web panel. "browser.startup.homepage" will
be overwritten. Further attacks can be done successfully.
Expected Results:
Link to the privileged content should be blocked.
Comment 2•20 years ago
|
||
I can confirm that the attached test case changes my homepage to mozdev.org.
Status: UNCONFIRMED → NEW
Ever confirmed: true
In Mozilla Suite, the testcase failed to load about:plugins. Expected security
error appears in JavaScript Console. This is a Firefox-specific bug.
Updated•20 years ago
|
Whiteboard: [sg:fix]
Updated•20 years ago
|
Flags: blocking-aviary1.1?
Flags: blocking-aviary1.1+
Flags: blocking-aviary1.0.3?
Flags: blocking-aviary1.0.3+
Assignee | ||
Comment 4•20 years ago
|
||
This is a double-layered fix:
Add the obvious missing security check.
Block javascript: URLs entirely if they target _search. This is matching
behaviour to IE, and since this is an IE-ism, I feel completely safe in taking
this step.
I will file a followup bug tonight or tomorrow about looking over our web
panels code and better bulletproofing this against future silliness.
Comment 5•20 years ago
|
||
Comment on attachment 180532 [details] [diff] [review]
add security check, block javascript: URLs completely (matching IE)
Who should review/superreview this patch?
a=chase pending r/sr
Attachment #180532 -
Flags: approval-aviary1.1a?
Attachment #180532 -
Flags: approval-aviary1.0.3?
Updated•20 years ago
|
Attachment #180532 -
Flags: approval-aviary1.1a?
Attachment #180532 -
Flags: approval-aviary1.1a+
Attachment #180532 -
Flags: approval-aviary1.0.3?
Attachment #180532 -
Flags: approval-aviary1.0.3+
Updated•20 years ago
|
Attachment #180532 -
Flags: superreview?(dveditz)
Attachment #180532 -
Flags: review?(caillon)
Comment 6•20 years ago
|
||
Comment on attachment 180532 [details] [diff] [review]
add security check, block javascript: URLs completely (matching IE)
looks good, but needs data: too.
Attachment #180532 -
Flags: superreview?(dveditz) → superreview-
Comment 7•20 years ago
|
||
Assignee | ||
Updated•20 years ago
|
Attachment #180532 -
Flags: review?(caillon)
Comment 8•20 years ago
|
||
Note that the webSecurityCheck() prevents the opening of chrome, but even
without chrome privs you could load some target site in the sidebar and then
inject script using data: to steal cookies or whatever else might be there.
The testcase is polite about waiting for us to click two links in succession, a
real exploit would simply attack.
Comment 9•20 years ago
|
||
mconnor is having issues with cvs and bugzilla access right now, but asked me
to attach this.
r=caillon
a=caillon for aviary 1.0.3 and 1.1a pending sr=
Updated•20 years ago
|
Attachment #180532 -
Attachment is obsolete: true
Attachment #180547 -
Flags: superreview?(dveditz)
Attachment #180547 -
Flags: review+
Attachment #180547 -
Flags: approval-aviary1.1a+
Attachment #180547 -
Flags: approval-aviary1.0.3+
Comment 10•20 years ago
|
||
Comment on attachment 180547 [details] [diff] [review]
Patch also checking data:
sr=dveditz
too bad these aren't uris
Attachment #180547 -
Flags: superreview?(dveditz) → superreview+
Comment 11•20 years ago
|
||
Commited attachment 180547 [details] [diff] [review] to AVIARY_1_0_1_20050124_BRANCH, 2005-04-12 21:43 PDT.
Keywords: fixed-aviary1.0.3
Reporter | ||
Comment 12•20 years ago
|
||
I'm testing 2005-04-13-00-aviary1.0.1.
"Click Here First" - JavaScript console says "Security Error: Content at
https://bugzilla.mozilla.org/attachment.cgi?id=180506 may not load or link to
about:plugins."
"Next, Click Here" - nothing happens.
data: testcase produced the same results. Looks good.
Comment 13•20 years ago
|
||
also looks good (get expected errors) using 2005041301-1.0.3 ffox on linux fc3.
Updated•20 years ago
|
Reporter | ||
Comment 15•20 years ago
|
||
Don't forget to commit patch on the trunk ;-)
Assignee | ||
Comment 16•20 years ago
|
||
fixed on trunk as of yesterday.
Status: NEW → RESOLVED
Closed: 20 years ago
Resolution: --- → FIXED
Updated•19 years ago
|
Flags: testcase+
Updated•18 years ago
|
Flags: in-testsuite+ → in-testsuite?
You need to log in
before you can comment on or make changes to this bug.
Description
•