Closed
Bug 292937
Opened 19 years ago
Closed 19 years ago
Background Images can be in chrome protocol
Categories
(Firefox :: General, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: pvnick, Assigned: dveditz)
References
()
Details
(Keywords: fixed-aviary1.0.5, Whiteboard: [sg:fix] uses view-source:javascript: need patch)
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.7) Gecko/20050414 Firefox/1.0.3 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.7) Gecko/20050414 Firefox/1.0.3 You may have received Mikx's report about the "view image" option allows a webpage to navigate to chrome page. This also works with the "view background image" option. Reproducible: Always Steps to Reproduce: 1. Enable popups for the PoC to work 2. Navigate to http://greyhatsecurity.org/vulntests/background.htm 3. Right click and press "view background image" Actual Results: Popup opens, uses view-source:javascript bug, executes script in context of all-powerful chrome :) Expected Results: Background image url should be filtered This is a different report than Mikx's; no dupe! :)
|
Assignee | |
Updated•19 years ago
|
Assignee: nobody → dveditz
Status: UNCONFIRMED → NEW
Ever confirmed: true
Flags: blocking1.8b3+
Flags: blocking-aviary1.1+
Flags: blocking-aviary1.0.4+
Whiteboard: [sg:fix] uses view-source:javascript:
|
||
Updated•19 years ago
|
Whiteboard: [sg:fix] uses view-source:javascript: → [sg:fix] uses view-source:javascript: need patch
|
||
Comment 1•19 years ago
|
||
Paul: Have you been able to reproduce this with Firefox 1.0.4? I just tried and although the popup opens, it doesn't look like anything bad is happening. I see the following in the JS Console: Error: uncaught exception: [Exception... "Illegal value" nsresult: "0x80070057 (NS_ERROR_ILLEGAL_VALUE)" location: "JS frame :: http://greyhatsecurity.org/vulntests/runscript.htm :: <TOP_LEVEL> :: line 8" data: no] And get the following JS error popup: Permission denied to get property Location.href Is that the expected behavior? Or was this fixed between 1.0.3 and 1.0.4?
|
|
Assignee | |
Comment 2•19 years ago
|
||
The testcase makes use of view-source:javascript which was blocked with bug 290982 in ff1.0.4, but there's still a missing security check on view (background) image.
|
|
Assignee | |
Comment 3•19 years ago
|
||
Fix incorporated into the patch for similar bug 292774, checked in
|
|
||
Comment 4•19 years ago
|
||
v.fixed on aviary with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.9) Gecko/20050706 Firefox/1.0.5 using original testcase. I get a blank window after going back, but nothing bad happens.
|
|
Assignee | |
Comment 5•19 years ago
|
||
(In reply to comment #4) > v.fixed on aviary with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.9) > Gecko/20050706 Firefox/1.0.5 using original testcase. I get a blank window > after going back, but nothing bad happens. This testcase relies on view-source:javascript:eval(). The eval() part was only useful starting in 1.0.3, and the view-source:javascript part was disabled in 1.0.4 by the fix for bug 290982.
|
|
Assignee | |
Comment 6•19 years ago
|
||
Adding distributors
|
||
Updated•19 years ago
|
Flags: testcase+
|
|
||
Updated•17 years ago
|
Flags: in-testsuite+ → in-testsuite?
You need to log in
before you can comment on or make changes to this bug.
Description
•