Closed
Bug 292499
Opened 20 years ago
Closed 20 years ago
Addon Install feature can execute javascript in context of "chrome"
Categories
(Firefox :: Security, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: pvnick, Assigned: dveditz)
References
()
Details
(Keywords: fixed-aviary1.0.4, Whiteboard: [sg:fix])
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.7) Gecko/20050414 Firefox/1.0.3
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.7) Gecko/20050414 Firefox/1.0.3
Using the install addon feature in firefox will open a confirmation dialog
containing, among other things, an image with a specified url. If this url is a
javascript:eval("[script]") link, javascript will be executed within the context
of the confirmation dialog ("chrome" page/full priviledges). By default, this
install feature can only be accessed from update.mozilla.org. However, using
another one of my bugs (#291618) will allow the vulnerability to be run from
update.mozilla.org.
Reproducible: Always
Steps to Reproduce:
1. http://greyhatsecurity.org/vulntests/more/ffaddonvuln.htm
2. Open the first link in a new tab
3. Drag the second link to the tab that is created
Actual Results:
Javascript is executed in the confirmation dialog
Expected Results:
The addon icon url should be filtered. Also, it wouldn't hurt to patch the bug
that this vuln is dependant on :P
Assignee | ||
Comment 1•20 years ago
|
||
There are two parts to this vulnerability. The ability to execute javascript
cross context via view-source:javascript: is covered in several other bugs, I'll
reserve this one for the Firefox install confirmation dialog running the iconURL
as a privileged script. The install whitelist is not supposed to be a security
feature, it's just an anti-annoyance feature.
Assignee: nobody → dveditz
Blocks: sbb?
Status: UNCONFIRMED → NEW
Ever confirmed: true
Flags: blocking1.8b3+
Flags: blocking-aviary1.1+
Flags: blocking-aviary1.0.4+
Whiteboard: [sg:fix]
Assignee | ||
Comment 2•20 years ago
|
||
greyhat page seems gone, can be tested with:
javascript:InstallTrigger.install({'blah':{URL:'http://www.mozilla.org',
IconURL:"javascript:eval('alert(Components.stack)')"}});void(0)
Assignee | ||
Comment 3•20 years ago
|
||
Fix checked into trunk as part of bug 292691
Status: NEW → RESOLVED
Closed: 20 years ago
Resolution: --- → FIXED
Assignee | ||
Updated•20 years ago
|
Keywords: fixed-aviary1.0.4
Assignee | ||
Comment 4•20 years ago
|
||
Clearing security flag from announced vulnerabilities fixed in Firefox
1.0.4/Mozilla 1.7.8
Group: security
Assignee | ||
Updated•20 years ago
|
Flags: blocking-aviary1.0.5+ → blocking-aviary1.0.4+
Updated•19 years ago
|
Flags: testcase+
Updated•18 years ago
|
Flags: in-testsuite+ → in-testsuite?
You need to log in
before you can comment on or make changes to this bug.
Description
•