Addon Install feature can execute javascript in context of "chrome"

RESOLVED FIXED

Status

()

Firefox
Security
--
major
RESOLVED FIXED
12 years ago
10 years ago

People

(Reporter: Paul Nickerson, Assigned: dveditz)

Tracking

({fixed-aviary1.0.4})

unspecified
x86
Windows XP
fixed-aviary1.0.4
Points:
---
Dependency tree / graph
Bug Flags:
blocking-aviary1.0.4 +
blocking1.8b3 +
blocking-aviary1.5 +
in-testsuite ?

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [sg:fix], URL)

(Reporter)

Description

12 years ago
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.7) Gecko/20050414 Firefox/1.0.3
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.7) Gecko/20050414 Firefox/1.0.3

Using the install addon feature in firefox will open a confirmation dialog
containing, among other things, an image with a specified url. If this url is a
javascript:eval("[script]") link, javascript will be executed within the context
of the confirmation dialog ("chrome" page/full priviledges). By default, this
install feature can only be accessed from update.mozilla.org. However, using
another one of my bugs (#291618) will allow the vulnerability to be run from
update.mozilla.org.

Reproducible: Always

Steps to Reproduce:
1. http://greyhatsecurity.org/vulntests/more/ffaddonvuln.htm
2. Open the first link in a new tab
3. Drag the second link to the tab that is created

Actual Results:  
Javascript is executed in the confirmation dialog

Expected Results:  
The addon icon url should be filtered. Also, it wouldn't hurt to patch the bug
that this vuln is dependant on :P
(Assignee)

Comment 1

12 years ago
There are two parts to this vulnerability. The ability to execute javascript
cross context via view-source:javascript: is covered in several other bugs, I'll
reserve this one for the Firefox install confirmation dialog running the iconURL
as a privileged script. The install whitelist is not supposed to be a security
feature, it's just an anti-annoyance feature.
Assignee: nobody → dveditz
Blocks: 256195
Status: UNCONFIRMED → NEW
Ever confirmed: true
Flags: blocking1.8b3+
Flags: blocking-aviary1.1+
Flags: blocking-aviary1.0.4+
Whiteboard: [sg:fix]
(Assignee)

Updated

12 years ago
Blocks: 292691
(Assignee)

Comment 2

12 years ago
greyhat page seems gone, can be tested with:
javascript:InstallTrigger.install({'blah':{URL:'http://www.mozilla.org',
IconURL:"javascript:eval('alert(Components.stack)')"}});void(0)
(Assignee)

Comment 3

12 years ago
Fix checked into trunk as part of bug 292691
Status: NEW → RESOLVED
Last Resolved: 12 years ago
Resolution: --- → FIXED
(Assignee)

Updated

12 years ago
Blocks: 293330
(Assignee)

Updated

12 years ago
Keywords: fixed-aviary1.0.4
(Assignee)

Comment 4

12 years ago
Clearing security flag from announced vulnerabilities fixed in Firefox
1.0.4/Mozilla 1.7.8
Group: security
(Assignee)

Updated

12 years ago
Flags: blocking-aviary1.0.5+ → blocking-aviary1.0.4+

Updated

11 years ago
Flags: testcase+

Updated

10 years ago
Flags: in-testsuite+ → in-testsuite?
You need to log in before you can comment on or make changes to this bug.