Closed Bug 292499 Opened 20 years ago Closed 20 years ago

Addon Install feature can execute javascript in context of "chrome"

Categories

(Firefox :: Security, defect)

x86
Windows XP
defect
Not set
major

Tracking

()

RESOLVED FIXED

People

(Reporter: pvnick, Assigned: dveditz)

References

()

Details

(Keywords: fixed-aviary1.0.4, Whiteboard: [sg:fix])

User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.7) Gecko/20050414 Firefox/1.0.3 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.7) Gecko/20050414 Firefox/1.0.3 Using the install addon feature in firefox will open a confirmation dialog containing, among other things, an image with a specified url. If this url is a javascript:eval("[script]") link, javascript will be executed within the context of the confirmation dialog ("chrome" page/full priviledges). By default, this install feature can only be accessed from update.mozilla.org. However, using another one of my bugs (#291618) will allow the vulnerability to be run from update.mozilla.org. Reproducible: Always Steps to Reproduce: 1. http://greyhatsecurity.org/vulntests/more/ffaddonvuln.htm 2. Open the first link in a new tab 3. Drag the second link to the tab that is created Actual Results: Javascript is executed in the confirmation dialog Expected Results: The addon icon url should be filtered. Also, it wouldn't hurt to patch the bug that this vuln is dependant on :P
There are two parts to this vulnerability. The ability to execute javascript cross context via view-source:javascript: is covered in several other bugs, I'll reserve this one for the Firefox install confirmation dialog running the iconURL as a privileged script. The install whitelist is not supposed to be a security feature, it's just an anti-annoyance feature.
Assignee: nobody → dveditz
Blocks: sbb?
Status: UNCONFIRMED → NEW
Ever confirmed: true
Flags: blocking1.8b3+
Flags: blocking-aviary1.1+
Flags: blocking-aviary1.0.4+
Whiteboard: [sg:fix]
Blocks: 292691
greyhat page seems gone, can be tested with: javascript:InstallTrigger.install({'blah':{URL:'http://www.mozilla.org', IconURL:"javascript:eval('alert(Components.stack)')"}});void(0)
Fix checked into trunk as part of bug 292691
Status: NEW → RESOLVED
Closed: 20 years ago
Resolution: --- → FIXED
Blocks: 293330
Clearing security flag from announced vulnerabilities fixed in Firefox 1.0.4/Mozilla 1.7.8
Group: security
Flags: blocking-aviary1.0.5+ → blocking-aviary1.0.4+
Flags: testcase+
Flags: in-testsuite+ → in-testsuite?
You need to log in before you can comment on or make changes to this bug.