Closed Bug 302022 Opened 19 years ago Closed 13 years ago

"Set as Wallpaper" dialog can load local files as images

Categories

(Firefox :: Menus, defect)

Product:
Firefox
Component:
Menus
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: mikx, Unassigned)

References

Details

(Whiteboard: [sg:low])

Attachments

(1 file)

Mac testcase
284 bytes, text/html
Details
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.10) Gecko/20050716 Firefox/1.0.6 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.10) Gecko/20050716 Firefox/1.0.6 The patch for bug #292737 blocked the exploit to execute arbitrary code with a javascript URL in the "Set as Wallpaper" dialog. On the one hand it is blocked because the context menu option is disabled when the image is not valid, on the other hand it is blocked by a check inside setWallpaper.xul (static check for javascript scheme). By changing the src attibute of the image file with a setTimeout function, it is possible to get the context menu with active "Set as Wallpaper" option and then inject another URL into the dialog. The scheme check inside the dialog is still working, but you can get around the usual url checks and access local files for example. This does not lead to any active vulnerability right now (well, beside the "evil" ability to make the user set another background image then he sees in the page and in the preview *g*). But the ability to access arbitrary files looks like a recipe for trouble to me. Am i paranoid? Anyway, I suggest fixing the "timing" attack vector if possible. Is a fix like this used in other places? Reproducible: Always <img src="test.jpg" onmousedown="setTimeout('doit()',1000)" width="300" height="200" id="myimg"> <script> function doit(){ myimg = document.getElementById("myimg"); myimg.src = "file:///C:/WINDOWS/Web/Wallpaper/Tulips.jpg"; myimg.width = 300; myimg.height = 200; }; </script> An interesting side effect is that the old image keeps being displayed when you change the src attribute and width/height. I would expect a broken image icon.
Flags: blocking-aviary1.5?
Summary: "Set as Wallpaper" context menu can access local files → "Set as Wallpaper" dialog can load local files as images
Whiteboard: [sg:fix]
nice to have as a proactive measure, but we're not going to hold on this without a more severe exploit.
Flags: blocking-aviary1.5? → blocking-aviary1.5-
This will be fixed by moving the default to xpcnativewrappers=yes.
Depends on: 302276
Attached file Mac testcase
Based on the Windows testcase in comment 0.
Confirmed using Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.8b4) Gecko/20050811 Firefox/1.0+. xpcnativewrappers=yes is already on for browser.js, so I don't think turning it on by default everywhere is going to fix this bug. This bug will be tricky to fix because the original image node is passed from browser.js to setDesktopBackground.js to nsIShellService::SetDesktopBackground. The page can change the image at many different times, including while the context menu is visible and while setDesktopBackground.xul is loading.
No longer depends on: 302276
The patch in bug 303181 fixes part of this bug.
Depends on: 303181
Status: UNCONFIRMED → NEW
Ever confirmed: true
The testcase no longer works, but I think there are other ways to exploit this bug.
Whiteboard: [sg:fix] → [sg:low]
I think this was fixed by bug 263473, by using nsIImageLoadingContent to check the loading state, and by using currentURI instead of .src. Jesse/Michael, do you agree?
WFM, I think Gavin's right.
Group: core-security
Resolving as WORKSFORME since I also think this is fixed.
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: