Closed Bug 292499 Opened 19 years ago Closed 19 years ago

Addon Install feature can execute javascript in context of "chrome"

Categories

(Firefox :: Security, defect)

x86
Windows XP
defect
Not set
major

Tracking

()

RESOLVED FIXED

People

(Reporter: pvnick, Assigned: dveditz)

References

()

Details

(Keywords: fixed-aviary1.0.4, Whiteboard: [sg:fix])

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.7) Gecko/20050414 Firefox/1.0.3
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.7) Gecko/20050414 Firefox/1.0.3

Using the install addon feature in firefox will open a confirmation dialog
containing, among other things, an image with a specified url. If this url is a
javascript:eval("[script]") link, javascript will be executed within the context
of the confirmation dialog ("chrome" page/full priviledges). By default, this
install feature can only be accessed from update.mozilla.org. However, using
another one of my bugs (#291618) will allow the vulnerability to be run from
update.mozilla.org.

Reproducible: Always

Steps to Reproduce:
1. http://greyhatsecurity.org/vulntests/more/ffaddonvuln.htm
2. Open the first link in a new tab
3. Drag the second link to the tab that is created

Actual Results:  
Javascript is executed in the confirmation dialog

Expected Results:  
The addon icon url should be filtered. Also, it wouldn't hurt to patch the bug
that this vuln is dependant on :P
There are two parts to this vulnerability. The ability to execute javascript
cross context via view-source:javascript: is covered in several other bugs, I'll
reserve this one for the Firefox install confirmation dialog running the iconURL
as a privileged script. The install whitelist is not supposed to be a security
feature, it's just an anti-annoyance feature.
Assignee: nobody → dveditz
Blocks: sbb?
Status: UNCONFIRMED → NEW
Ever confirmed: true
Flags: blocking1.8b3+
Flags: blocking-aviary1.1+
Flags: blocking-aviary1.0.4+
Whiteboard: [sg:fix]
Blocks: 292691
greyhat page seems gone, can be tested with:
javascript:InstallTrigger.install({'blah':{URL:'http://www.mozilla.org',
IconURL:"javascript:eval('alert(Components.stack)')"}});void(0)
Fix checked into trunk as part of bug 292691
Status: NEW → RESOLVED
Closed: 19 years ago
Resolution: --- → FIXED
Blocks: 293330
Clearing security flag from announced vulnerabilities fixed in Firefox
1.0.4/Mozilla 1.7.8
Group: security
Flags: blocking-aviary1.0.5+ → blocking-aviary1.0.4+
Flags: testcase+
Flags: in-testsuite+ → in-testsuite?
You need to log in before you can comment on or make changes to this bug.