Last Comment Bug 292499 - Addon Install feature can execute javascript in context of "chrome"
: Addon Install feature can execute javascript in context of "chrome"
Status: RESOLVED FIXED
[sg:fix]
: fixed-aviary1.0.4
Product: Firefox
Classification: Client Software
Component: Security (show other bugs)
: unspecified
: x86 Windows XP
: -- major (vote)
: ---
Assigned To: Daniel Veditz [:dveditz]
:
:
Mentors:
http://greyhatsecurity.org/vulntests/...
Depends on:
Blocks: sbb? 292691 293330
  Show dependency treegraph
 
Reported: 2005-04-30 20:46 PDT by Paul Nickerson
Modified: 2007-04-01 14:59 PDT (History)
1 user (show)
dveditz: blocking‑aviary1.0.4+
dveditz: blocking1.8b3+
dveditz: blocking‑aviary1.5+
bob: in‑testsuite?
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments

Description Paul Nickerson 2005-04-30 20:46:35 PDT
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.7) Gecko/20050414 Firefox/1.0.3
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.7) Gecko/20050414 Firefox/1.0.3

Using the install addon feature in firefox will open a confirmation dialog
containing, among other things, an image with a specified url. If this url is a
javascript:eval("[script]") link, javascript will be executed within the context
of the confirmation dialog ("chrome" page/full priviledges). By default, this
install feature can only be accessed from update.mozilla.org. However, using
another one of my bugs (#291618) will allow the vulnerability to be run from
update.mozilla.org.

Reproducible: Always

Steps to Reproduce:
1. http://greyhatsecurity.org/vulntests/more/ffaddonvuln.htm
2. Open the first link in a new tab
3. Drag the second link to the tab that is created

Actual Results:  
Javascript is executed in the confirmation dialog

Expected Results:  
The addon icon url should be filtered. Also, it wouldn't hurt to patch the bug
that this vuln is dependant on :P
Comment 1 Daniel Veditz [:dveditz] 2005-05-03 13:42:31 PDT
There are two parts to this vulnerability. The ability to execute javascript
cross context via view-source:javascript: is covered in several other bugs, I'll
reserve this one for the Firefox install confirmation dialog running the iconURL
as a privileged script. The install whitelist is not supposed to be a security
feature, it's just an anti-annoyance feature.
Comment 2 Daniel Veditz [:dveditz] 2005-05-09 04:17:07 PDT
greyhat page seems gone, can be tested with:
javascript:InstallTrigger.install({'blah':{URL:'http://www.mozilla.org',
IconURL:"javascript:eval('alert(Components.stack)')"}});void(0)
Comment 3 Daniel Veditz [:dveditz] 2005-05-13 15:15:24 PDT
Fix checked into trunk as part of bug 292691
Comment 4 Daniel Veditz [:dveditz] 2005-05-18 13:09:58 PDT
Clearing security flag from announced vulnerabilities fixed in Firefox
1.0.4/Mozilla 1.7.8

Note You need to log in before you can comment on or make changes to this bug.