Closed
Bug 292774
Opened 20 years ago
Closed 20 years ago
"View Image" context menu allows chrome access
Categories
(Firefox :: Menus, defect)
Firefox
Menus
Tracking
()
RESOLVED
FIXED
People
(Reporter: mikx, Assigned: dveditz)
References
()
Details
(Keywords: fixed-aviary1.0.5, fixed1.7.9, Whiteboard: [sg:fix])
Attachments
(2 files)
|
803 bytes,
patch
|
bzbarsky
:
review+
dveditz
:
superreview+
dveditz
:
approval-aviary1.0.5+
|
Details | Diff | Splinter Review |
|
1.25 KB,
patch
|
dveditz
:
review+
jst
:
superreview+
dveditz
:
approval-aviary1.0.5+
dveditz
:
approval-aviary1.1a2+
|
Details | Diff | Splinter Review |
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.7) Gecko/20050414 Firefox/1.0.3 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.7) Gecko/20050414 Firefox/1.0.3 The context menu option "View Image" does not validate the src of the image. The image source URL is directly opened without checking if this may result in chrome access. By using absolute positioning and the moz-opacity filter an attacker can easily fool the user to think he is going to view a valid image. While this isn't exploitable without being combined with other flaws, it can be a significant stepstone for attacks. Beside cross site scripting exploits that use the chrome page as the entry point for privilege elevation attacks, there might be scripts in chrome that can be tricked into evaluating parts of the calling url string. chrome://mozapps/content/extensions/extensions.xul is an example for a page that uses location.search as part of their scripts - even though i wasn't able to leverage this. Reproducible: Always Steps to Reproduce: 1. Open http://bugzilla:2Ke7Zis@www.mikx.de/fireimaging/ 2. Follow instructions
|
Assignee | |
Comment 1•20 years ago
|
||
It'd be an easy fix since the fix for bug 69070 explicitly allows <img> to reference chrome urls: http://lxr.mozilla.org/mozilla/source/content/base/src/nsContentUtils.cpp#1821 We might want to disable View-image for broken images. In any case the view-image code should do another checkLoadURI regardless of what we do with the bug 69070 fix. Paranoia can't hurt and in this case is justified.
Assignee: nobody → dveditz
Status: UNCONFIRMED → NEW
Ever confirmed: true
Flags: blocking-aviary1.1+
Flags: blocking-aviary1.0.4+
Whiteboard: [sg:fix]
|
|
Assignee | |
Comment 2•20 years ago
|
||
Changing the 69070 fix won't help: even if the load is denied the user can "View Image" on the empty space. See with the blocked "file" image with the following data url data:text/html,<a%20href="chrome://browser/content/browser.xul">link</a><img%20src="chrome://browser/skin/Throbber.gif"><img%20src="file://c|/tmp/mozilla-16.png"><img%20src="http:/www.biiid.com/c|/tmp/mozilla-16.png">
Status: NEW → ASSIGNED
|
||
Comment 3•20 years ago
|
||
Changing the check in content utils would actually break various stuff (like broken-image icons in webpages). I think doing a checkLoadURI in the "view image" code is the way to go. Also do the same in "view only this frame" and any similar options we have in the context menu.
|
||
Comment 4•20 years ago
|
||
I don't (yet) think that "view only this frame" is similar - the frame and all of its scripts etc. will already have been loaded.
Attachment #182566 -
Flags: superreview?(dveditz)
Attachment #182566 -
Flags: review?(bzbarsky)
|
Reporter | |
Comment 5•20 years ago
|
||
The demo page got updated to proof that this bug can actually be exploitet to run arbitrary code in combination with popups and a cross site scripting bug.
|
|
||
Comment 6•20 years ago
|
||
Comment on attachment 182566 [details] [diff] [review] xpfe view [background] image patch (checked in) Hmm.. I guess if a frame load is blocked by security the target.ownerDocument will be about:blank, so viewing the frame will show nothing... r=bzbarsky (note that this is seamonkey-only and should land on 1.7.8; Firefox also needs a patch here...)
Attachment #182566 -
Flags: review?(bzbarsky) → review+
|
||
Updated•20 years ago
|
Whiteboard: [sg:fix] → [sg:fix] have seamonkey patch- - needs review --need firefox patch
|
||
Comment 7•20 years ago
|
||
should be sufficient, per bz's comment
Attachment #186443 -
Flags: review?(dveditz)
Attachment #186443 -
Flags: approval-aviary1.0.5?
|
||
Comment 8•20 years ago
|
||
Comment on attachment 186443 [details] [diff] [review] firefox version of seamonkey patch (checked in) sr=jst
Attachment #186443 -
Flags: superreview+
|
|
Assignee | |
Comment 9•20 years ago
|
||
Comment on attachment 182566 [details] [diff] [review] xpfe view [background] image patch (checked in) sr=dveditz a=dveditz for aviary1.0.1 and moz1.7 branches and trunk
Attachment #182566 -
Flags: superreview?(dveditz)
Attachment #182566 -
Flags: superreview+
Attachment #182566 -
Flags: approval-aviary1.0.5+
|
|
Assignee | |
Comment 10•20 years ago
|
||
Comment on attachment 186443 [details] [diff] [review] firefox version of seamonkey patch (checked in) r=dveditz a=dveditz for branches and trunk
Attachment #186443 -
Flags: review?(dveditz)
Attachment #186443 -
Flags: review+
Attachment #186443 -
Flags: approval-aviary1.1a2+
Attachment #186443 -
Flags: approval-aviary1.0.5?
Attachment #186443 -
Flags: approval-aviary1.0.5+
|
|
||
Comment 11•20 years ago
|
||
Comment on attachment 182566 [details] [diff] [review] xpfe view [background] image patch (checked in) landed on trunk and 1.7.9 branch
Attachment #182566 -
Attachment description: xpfe view [background] image patch → xpfe view [background] image patch (checked in)
|
|
||
Comment 12•20 years ago
|
||
Comment on attachment 186443 [details] [diff] [review] firefox version of seamonkey patch (checked in) landed on aviary 1.0.1 branch and trunk
Attachment #186443 -
Attachment description: firefox version of seamonkey patch → firefox version of seamonkey patch (checked in)
|
|
||
Updated•20 years ago
|
Status: ASSIGNED → RESOLVED
Closed: 20 years ago
Keywords: fixed-aviary1.0.5,
fixed1.7.9
Resolution: --- → FIXED
|
|
||
Comment 13•20 years ago
|
||
Damn, I forgot the trailing semicolons. How annoying :-[
|
||
Comment 14•19 years ago
|
||
v.fixed on aviary with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.9) Gecko/20050706 Firefox/1.0.5 using the mikx testcase. If I enable popups, I still get a small window, but nothing bad happens. With popups disabled, everything seems fine.
|
|
Assignee | |
Comment 15•19 years ago
|
||
(In reply to comment #14) > v.fixed on aviary with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.9) > Gecko/20050706 Firefox/1.0.5 using the mikx testcase. If I enable popups, I > still get a small window, but nothing bad happens. With popups disabled, > everything seems fine. This testcase relies on view-source:javascript:eval(). The eval() part was only useful starting in 1.0.3, and the view-source:javascript part was disabled in 1.0.4 by the fix for bug 290982.
Whiteboard: [sg:fix] have seamonkey patch- - needs review --need firefox patch → [sg:fix]
|
|
Assignee | |
Comment 16•19 years ago
|
||
Adding distributors
|
||
Comment 18•19 years ago
|
||
Is this a particular MFSA ?
|
|
Assignee | |
Comment 19•19 years ago
|
||
(In reply to comment #18) > Is this a particular MFSA ? We did not issue an advisory because the exploit was blocked by a fix in an earlier version (which did get an advisory). What was ultimately fixed here was the potential stepping stone to an exploit should another XSS bug be found.
|
||
Updated•19 years ago
|
Flags: testcase+
|
|
||
Updated•18 years ago
|
Flags: in-testsuite+ → in-testsuite?
You need to log in
before you can comment on or make changes to this bug.
Description
•