Closed Bug 304690 Opened 19 years ago Closed 18 years ago

Stand-alone applications can do cross-domain scripting through Firefox

Categories

(Core :: DOM: Navigation, defect)

Product:
Core
Component:
DOM: Navigation
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla1.9alpha5

People

(Reporter: mikx, Assigned: bzbarsky)

Details

(Keywords: fixed1.8.0.12, verified1.8.1.4, Whiteboard: [sg:fix])

Attachments

(3 files, 4 obsolete files)

new testcase
19.76 KB, application/octet-stream
Details
Better trunk fix
1.28 KB, patch
dveditz
: review+
jst
: superreview+
Details | Diff | Splinter Review
Correct branch fix
1.21 KB, patch
dveditz
: review+
jst
: superreview+
dveditz
: approval1.8.1.4+
dveditz
: approval1.8.0.12+
Details | Diff | Splinter Review
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.10) Gecko/20050716 Firefox/1.0.6 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.10) Gecko/20050716 Firefox/1.0.6 As far as i understand the fix for bug #298255 it was intendet to stop the ability to load chrome urls from external applications and to clear the context of javascript calls to about:blank. Tested with Firefox 1.0.6 and it works as expected: can not load chrome and javascript urls don't have access to document.cookie (although a javascript:alert(document.cookie) gives the current domain as title of the alert dialog instead of "javascript application" or "about:blank"). But by calling a data: url it is still possible to do cross-domain scripting. Is this expected behavior in 1.0.6 or was this overlooked? Reproducible: Always
Attached file testcase (obsolete) —
Attached file testcase mov file (obsolete) —
Flags: blocking1.8b4?
Whiteboard: [sg:fix]
Assignee: nobody → mconnor
Flags: blocking1.8b4? → blocking1.8b4+
Mac OS X 10.4.2 QuickTime Version 7.0.1, Player Version 7.0.1 (7.0.1) Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.8b4) Gecko/20050816 Firefox/1.0+ Clicking the "Clicking here" in the .mov file doesn't seem to have any effect on Firefox. I'm guessing this testcase was made for Windows, so I'll test on Windows later.
XP SP2 and QT 6.5.2 here, and I get nothing. I do get the alert(1) in the first testcase, but that's just an onclick for the element. What combination of OS/QT is vulnerable to this?
Attached file new testcase
Sorry, the first testcase was missing a file. Uploaded a new one as a complete zip (should contain three files). This is proven to work with QT 6.5.1 on Windows XP pro SP2 with latest patches and Firefox 1.0.6 as default browser. It uses a documented QT feature - so it should also work on OSX.
Attachment #192723 - Attachment is obsolete: true
Attachment #192724 - Attachment is obsolete: true
I tried the new testcase on Windows XP. QuickTime tried to open the data: URL in IE7 even though Firefox is my default browser, so I wasn't really able to test the exploit. I have QuickTime 7.0.2a63.
Tested with latest production release of QT (6.5.2) and Firefox 1.0.6 on WinXP SP1 with IE6, WinXP SP2 with IE7 and on Vista Beta 1 (IE7). All working. The upgrade to the QT 7 preview failed on Vista (probably because of 64bit) and i can't upgrade the XP machines right now. Jesse, can you try to downgrade to QT 6.5.2?
Same thing happens with QT 6.5.2.
I figured out how to reproduce this bug using Start->Run. I think that for this exploit to work, the option for "Open links from other applications in" must be "the most recent tab/window". "C:\moz\firefox 0818 branch\firefox.exe" "chrome://browser/content/browser.xul" * Does nothing if Firefox is already loaded. * If Firefox is not already loaded, incorrectly loads browser.xul into the content area. (#1) Navigate to http://www.google.com/ and then: "C:\moz\firefox 0818 branch\firefox.exe" "javascript:alert(document.cookie)" * Does not show the cookie. * The title bar is blank when the dialog appears. * Shows above content from www.google.com. (#2) * Incorrectly shows "www.google.com" in the title of the dialog. (#3) * The back button doesn't do what I'd expect. (#4) Navigate to http://www.google.com/ and then: "C:\moz\firefox 0818 branch\firefox.exe" "data:text/html,<script>alert(document.cookie)</script>" * Shows the cookie. (#5 - this bug)
Status: UNCONFIRMED → NEW
Ever confirmed: true
I filed bug 305269 for #1. Of the remaining issues, I don't know how many of them are the same bug.
I can reproduce on Mac using the following AppleScript script: tell application "DeerPark" activate Get URL "data:text/html,<script>alert(document.cookie)</script>" end tell
#2 in comment 9 might be bug 253951.
Why is the CreateAboutBlankContentViewer() call at http://lxr.mozilla.org/mozilla/source/docshell/base/nsDocShell.cpp#6203 not preventing data: URLs from looking at the previous page's cookies? (jst/caillon?)
-> dveditz, since he's probably the best person to answer comment 13 here, and to fix this.
Assignee: mconnor → dveditz
we'd like to get a fix before the rc.
Flags: blocking1.8b5+ → blocking1.8b5-
This is slightly less of a problem now that we've removed the Firefox UI for "in the same tab/window" option, but it would be good to answer the question in comment 13 - I've verified that we are reaching that block of code, but the external data: URI load is still able to get at the previously loaded page's cookies. Is CreateAboutBlankContentViewer(nsnull) not meant to prevent that?
The problem is that this block: // Get an owner from the current document if necessary. Note that we only // do this for URIs that inherit a security context; in particular we do ... comes way before we create the blank content viewer. Is there ever a case when LOAD_NORMAL_EXTERNAL is the load type _and_ we have a window target? If not, I would say we should do the LOAD_NORMAL_EXTERNAL check a lot earlier: before we do the window retargeting. Alternately, we could reset the owner in the LOAD_NORMAL_EXTERNAL block if we inherited it.... that might be easiest.
Attached patch Trunk fix (obsolete) — Splinter Review
Does this work? If so, I'll request module owner reviews etc....
Attachment #261998 - Flags: review?(gavin.sharp)
Comment on attachment 261998 [details] [diff] [review] Trunk fix Yeah, this fixes it for me.
Attachment #261998 - Flags: review?(gavin.sharp) → review+
Assignee: dveditz → nobody
Component: General → Embedding: Docshell
Product: Firefox → Core
QA Contact: general → docshell
Target Milestone: --- → mozilla1.9alpha4
Version: unspecified → Trunk
Attached patch Better trunk fixSplinter Review
Assignee: nobody → bzbarsky
Attachment #261998 - Attachment is obsolete: true
Status: NEW → ASSIGNED
Attachment #262305 - Flags: superreview?(jst)
Attachment #262305 - Flags: review?(dveditz)
Attached patch Branch fix (obsolete) — Splinter Review
Attachment #262312 - Flags: superreview?(jst)
Attachment #262312 - Flags: review?(dveditz)
Comment on attachment 262305 [details] [diff] [review] Better trunk fix r=dveditz
Attachment #262305 - Flags: review?(dveditz) → review+
Comment on attachment 262312 [details] [diff] [review] Branch fix >+ if (aLoadType == LOAD_NORMAL_EXTERNAL [...] Shouldn't this be != like the trunk patch and comment?
> Shouldn't this be != like the trunk patch and comment? Yes, it should...
Attachment #262312 - Attachment is obsolete: true
Attachment #262601 - Flags: superreview?(jst)
Attachment #262601 - Flags: review?(dveditz)
Attachment #262312 - Flags: superreview?(jst)
Attachment #262312 - Flags: review?(dveditz)
Comment on attachment 262601 [details] [diff] [review] Correct branch fix r=dveditz
Attachment #262601 - Flags: review?(dveditz) → review+
Attachment #262305 - Flags: superreview?(jst) → superreview+
Attachment #262601 - Flags: superreview?(jst) → superreview+
Fixed on trunk.
Status: ASSIGNED → RESOLVED
Closed: 18 years ago
Flags: in-testsuite?
Resolution: --- → FIXED
Target Milestone: mozilla1.9alpha4 → mozilla1.9alpha5
Comment on attachment 262601 [details] [diff] [review] Correct branch fix If it's not too late, we might want this for the next branch releases. I'm pretty confident that this is a safe patch... If we're worried that it'll break something odd, then let's do it in 1.8.0.13/1.8.1.5
Attachment #262601 - Flags: approval1.8.1.4?
Attachment #262601 - Flags: approval1.8.0.12?
Comment on attachment 262601 [details] [diff] [review] Correct branch fix approved for 1.8.0.12 and 1.8.1.4, a=dveditz Would love to have this safe fix.
Attachment #262601 - Flags: approval1.8.1.4?
Attachment #262601 - Flags: approval1.8.1.4+
Attachment #262601 - Flags: approval1.8.0.12?
Attachment #262601 - Flags: approval1.8.0.12+
Flags: wanted1.8.1.x+
Flags: wanted1.8.0.x+
Checked in on branches.
Keywords: fixed1.8.0.12, fixed1.8.1.4
v.fixed on 1.8 branch with Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.8.1.4) Gecko/20070515 Firefox/2.0.0.4 (Jesse's AppleScript testcase passes for me, I just see the JavaScript Application alert)
Keywords: fixed1.8.1.4verified1.8.1.4
Group: security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: