Closed Bug 292937 Opened 20 years ago Closed 20 years ago

Background Images can be in chrome protocol

Categories

(Firefox :: General, defect)

Product:
Firefox
Component:
General
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
major

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: pvnick, Assigned: dveditz)

References

(
URL
)

Details

(Keywords: fixed-aviary1.0.5, Whiteboard: [sg:fix] uses view-source:javascript: need patch)

User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.7) Gecko/20050414 Firefox/1.0.3 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.7) Gecko/20050414 Firefox/1.0.3 You may have received Mikx's report about the "view image" option allows a webpage to navigate to chrome page. This also works with the "view background image" option. Reproducible: Always Steps to Reproduce: 1. Enable popups for the PoC to work 2. Navigate to http://greyhatsecurity.org/vulntests/background.htm 3. Right click and press "view background image" Actual Results: Popup opens, uses view-source:javascript bug, executes script in context of all-powerful chrome :) Expected Results: Background image url should be filtered This is a different report than Mikx's; no dupe! :)
Assignee: nobody → dveditz
Status: UNCONFIRMED → NEW
Ever confirmed: true
Flags: blocking1.8b3+
Flags: blocking-aviary1.1+
Flags: blocking-aviary1.0.4+
Whiteboard: [sg:fix] uses view-source:javascript:
Blocks: sbb?
Whiteboard: [sg:fix] uses view-source:javascript: → [sg:fix] uses view-source:javascript: need patch
Paul: Have you been able to reproduce this with Firefox 1.0.4? I just tried and although the popup opens, it doesn't look like anything bad is happening. I see the following in the JS Console: Error: uncaught exception: [Exception... "Illegal value" nsresult: "0x80070057 (NS_ERROR_ILLEGAL_VALUE)" location: "JS frame :: http://greyhatsecurity.org/vulntests/runscript.htm :: <TOP_LEVEL> :: line 8" data: no] And get the following JS error popup: Permission denied to get property Location.href Is that the expected behavior? Or was this fixed between 1.0.3 and 1.0.4?
The testcase makes use of view-source:javascript which was blocked with bug 290982 in ff1.0.4, but there's still a missing security check on view (background) image.
Fix incorporated into the patch for similar bug 292774, checked in
Status: NEW → RESOLVED
Closed: 20 years ago
Keywords: fixed-aviary1.0.5
Resolution: --- → FIXED
v.fixed on aviary with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.9) Gecko/20050706 Firefox/1.0.5 using original testcase. I get a blank window after going back, but nothing bad happens.
(In reply to comment #4) > v.fixed on aviary with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.9) > Gecko/20050706 Firefox/1.0.5 using original testcase. I get a blank window > after going back, but nothing bad happens. This testcase relies on view-source:javascript:eval(). The eval() part was only useful starting in 1.0.3, and the view-source:javascript part was disabled in 1.0.4 by the fix for bug 290982.
Adding distributors
FF1.0.5 advisories published
Group: security
Flags: testcase+
Flags: in-testsuite+ → in-testsuite?
You need to log in before you can comment on or make changes to this bug.