arbitrary code execution via sidebar (part 3)

VERIFIED FIXED

Status

()

Firefox
Security
--
critical
VERIFIED FIXED
12 years ago
6 years ago

People

(Reporter: bugzilla, Assigned: bugzilla)

Tracking

({fixed-aviary1.0.5, testcase})

Trunk
fixed-aviary1.0.5, testcase
Points:
---
Bug Flags:
blocking-aviary1.0.5 +
blocking1.8b3 +
blocking-aviary1.5 +
in-testsuite ?

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [sg:fix])

Attachments

(2 attachments)

(Assignee)

Description

12 years ago
My bug 284627 has not been fully fixed. "data:" url check is missing. Augh.

Then, bug 226548 becomes a problem. Links on the sidebar panel send wrong
referer. This could be used for cross-site scripting.

If you are on about:config or chrome url, referer is set to that privileged
content, not to the sidebar panel itself. This allows an attacker to execute
arbitrary code.
(Assignee)

Comment 1

12 years ago
Created attachment 183535 [details]
testcase
(Assignee)

Comment 2

12 years ago
Created attachment 183536 [details] [diff] [review]
patch to check "data:" url as well as "javascript:" url
(Assignee)

Updated

12 years ago
Flags: blocking-aviary1.1?
Flags: blocking-aviary1.0.5?
Keywords: testcase
(Assignee)

Updated

12 years ago
Assignee: nobody → mconnor
Flags: blocking-aviary1.1?
Flags: blocking-aviary1.1+
Flags: blocking-aviary1.0.5?
Flags: blocking-aviary1.0.5+
Whiteboard: [sg:fix]
Blocks: 256195
Comment on attachment 183536 [details] [diff] [review]
patch to check "data:" url as well as "javascript:" url

ok, fair enough.  I'm sure this will break something, but people can deal.
Attachment #183536 - Flags: review+

Updated

12 years ago
Whiteboard: [sg:fix] → [sg:fix] have patch

Updated

12 years ago
Assignee: mconnor → bugzilla

Comment 4

12 years ago
Comment on attachment 183536 [details] [diff] [review]
patch to check "data:" url as well as "javascript:" url

Let's get this checked in on the Aviary branch. a=jay
Attachment #183536 - Flags: approval-aviary1.0.5+

Comment 5

12 years ago
Are we taking this on the Trunk as well?
Whiteboard: [sg:fix] have patch → [sg:fix] need landing
yeah, needs trunk landing too, I'll get approvals and do that.

Updated

12 years ago
Attachment #183536 - Flags: approval-aviary1.1a2?

Updated

12 years ago
Keywords: fixed-aviary1.0.5
Whiteboard: [sg:fix] need landing → [sg:fix]
Attachment #183536 - Flags: approval-aviary1.1a2? → approval-aviary1.1a2+
Please land on the trunk, you have the approvals now
Flags: blocking1.8b3+
Whiteboard: [sg:fix] → [sg:fix] needs trunk landing
fixed on trunk
Status: NEW → RESOLVED
Last Resolved: 12 years ago
Resolution: --- → FIXED
Whiteboard: [sg:fix] needs trunk landing → [sg:fix]

Comment 9

12 years ago
v.fixed on aviary with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.9)
Gecko/20050706 Firefox/1.0.5 using attached testcase.
Adding distributors
Security advisories published
Group: security

Updated

11 years ago
Flags: testcase+

Comment 12

11 years ago
Verified fixed using Win FF 1.5.
Status: RESOLVED → VERIFIED

Updated

10 years ago
Flags: in-testsuite+ → in-testsuite?
You need to log in before you can comment on or make changes to this bug.