Closed
Bug 291314
Opened 20 years ago
Closed 20 years ago
content calling java methods causes trouble
Categories
(Firefox :: Security, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: guninski, Assigned: dveditz)
References
()
Details
(Whiteboard: [sg:fix] need patch)
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.7) Gecko/20050414 Firefox/1.0.3
Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.7) Gecko/20050414 Firefox/1.0.3
chrome calling java.io.File("/tmp/a").createNewFile() creates a file in /tmp
Reproducible: Always
Steps to Reproduce:
go to url
Actual Results:
a file with controllable name is created
|
Reporter | |
Comment 1•20 years ago
|
||
Java(TM) Plug-in 1.5.0_02-b09
File name: libjavaplugin_oji.so
Java(TM) Plug-in 1.5.0_02
|
Assignee | |
Comment 2•20 years ago
|
||
Chrome can already create a file and more with or without Java, letting it call
into Java with permissions isn't a problem.
The problem here is the chrome event handler calling a content function with
chrome privs. Doesn't matter what the function does, that is the problem.
I couldn't get this to work, but it might be me.
Flags: blocking-aviary1.1?
Flags: blocking-aviary1.0.4?
|
|
Reporter | |
Comment 3•20 years ago
|
||
the exploit works for me with both 1.0.3 and today's cvs trunk (with both
brendan's Script kludge and without)
|
||
Comment 4•20 years ago
|
||
Why is this an exploit? Chrome should be allowed to do this.
|
|
Reporter | |
Comment 5•20 years ago
|
||
did you check "steps to reproduce" and url below "qa contact"?
Group: security
|
|
||
Comment 6•20 years ago
|
||
I can confirm the testcase...
Status: UNCONFIRMED → NEW
Ever confirmed: true
Summary: chrome calling java methods causes trouble → content calling java methods causes trouble
There's at least one bug here, if not two. I'd comment in more detail, but I'd
rather do that in security-sensitive bugs. Why was the security flag removed?
|
|
Reporter | |
Comment 8•20 years ago
|
||
the security flag was removed because i spent time writing a testcase, there was
no action on the bug for 5 days, and someone added himself to cc and asked "Why
is this an exploit?"
|
|
Reporter | |
Updated•20 years ago
|
Group: security
Part of this should be fixed by bug 289940
|
|
Assignee | |
Updated•20 years ago
|
Whiteboard: [sg:fix]
|
|
Assignee | |
Updated•20 years ago
|
Flags: blocking1.8b3+
Flags: blocking-aviary1.1?
Flags: blocking-aviary1.1+
Flags: blocking-aviary1.0.4?
Flags: blocking-aviary1.0.4+
Even with the patch in bug 281988 comment 73 i'm worried that someone can do:
theFile = java.io.File('/etc/passwd'');
someNode.nodeName = theFile;
theFile.toUpper = theFile.delete;
event.target = someNode;
document.body.dispatchEvent(event);
then trick us into getting the uppercase nodename of someNode. Will the above
cause |this| to be changed for |delete| triggering the REBOUND flag to get set?
|
|
||
Comment 11•20 years ago
|
||
Sicking, thanks -- jst brought that up too. See bug 281988 attachment 182729 [details] [diff] [review].
/be
Depends on: 281988
|
|
Reporter | |
Comment 12•20 years ago
|
||
looks like java objects created by applets aren't exploitable.
can't at least this exploit be solved/kludged by disabling the java.*
constructors from javascript - seems exploder does not support them?
|
||
Updated•20 years ago
|
Whiteboard: [sg:fix] → [sg:fix] need patch
|
||
Comment 13•20 years ago
|
||
this should be fixed on the trunk by bug 281988. Unblocking 1.8b3.
Flags: blocking1.8b3+
|
|
||
Comment 14•20 years ago
|
||
Georgi: This should be fixed on the Trunk, can you retest and report any issues
you still see there?
We need more testing on the Trunk before we can take the other fix from bug
281988 on the branch.
Status: NEW → RESOLVED
Closed: 20 years ago
Flags: blocking-aviary1.0.6+
Flags: blocking-aviary1.0.5-
Flags: blocking-aviary1.0.5+
Resolution: --- → FIXED
|
|
Reporter | |
Comment 15•20 years ago
|
||
testcase doesn't work on today cvs trunk.
but i am not sure if in this testcase java tries to get executed at all, or
fixing some other bug has stopped the codepath.
will try to check this.
|
|
Reporter | |
Comment 16•20 years ago
|
||
looks like chrome doesn't execute the luser's getter, so it is not clear if the
bug is fixed if chrome would have executed the luser's getter.
|
|
Assignee | |
Comment 17•20 years ago
|
||
Two fixes block this testcase: chrome ignores content-generated events, and on
the trunk chrome doesn't see user-created properties anymore.
Might be able to play around with something like bug 290324 on the 1.0 branch to
get chrome to access java -- we didn't change anything in the way
liveconnect/java works.
|
|
Reporter | |
Comment 18•20 years ago
|
||
*** Bug 303856 has been marked as a duplicate of this bug. ***
|
|
Assignee | |
Updated•20 years ago
|
Group: security
|
|
Assignee | |
Updated•19 years ago
|
Flags: blocking-aviary1.0.8+ → blocking-aviary1.0.8?
|
|
||
Comment 19•19 years ago
|
||
The problem is not reproducible. It may just be blocked by other fixed or there may be another unknown path to cause it. Either way we can't fix what we can't see. No patch. So can't make it into 1.0.8.
Flags: blocking-aviary1.0.8? → blocking-aviary1.0.8-
|
|
Reporter | |
Comment 20•19 years ago
|
||
(In reply to comment #19)
> The problem is not reproducible. It may just be blocked by other fixed or
> there may be another unknown path to cause it. Either way we can't fix what we
> can't see. No patch. So can't make it into 1.0.8.
>
some other fix killed the bug of calling it.
more actual similar "issue" is bug 324630
You need to log in
before you can comment on or make changes to this bug.
Description
•