Closed Bug 309258 Opened 19 years ago Closed 13 years ago

XPath can be used to determine text of mail message (wiretap)

Categories

(MailNews Core :: Security, defect)

Product:
MailNews Core
Component:
Security
Platform:
PowerPC
macOS
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: jruderman, Unassigned)

References

Details

(Keywords: testcase, Whiteboard: [sg:low?])

Attachments

(1 file)

Demo
977 bytes, text/html
Details 
XPath lets you search the document for text nodes containing a given string. 
This is sufficient to determine the rough content of a message through repeated
searches, something we try to prevent (see bug 66938).
Attached file Demo β€” 
You can play with the demo in Firefox, but it's more interesting if you send it
to yourself by email and open it using SeaMonkey.

I tested with SeaMonkey 1.0a and Thunderbird 1.5 Beta 1.  SeaMonkey is
vulnerable.  Thunderbird 1.5 Beta 1 is not vulnerable because XPath is not
compiled (?).  I didn't test older versions.

This testcase isn't very efficient.  I think it can be made more efficient, and
maybe even more direct by using different XPath features.
What's special about XPath?  It looks like this example depends on script being
enabled and having access to the DOM document object.  Given that, why not just
walk the DOM structures?  What does this provide that that doesn't?
Many things are disabled, including textnode.data and anything.innerHTML.  See
http://lxr.mozilla.org/mozilla/source/modules/libpref/src/init/all.js#285.
Blocks: 84545
That seems like a rather odd security model, and one that many people don't know
about.  Blocking things piece-by-piece doesn't seem like it's going to be
effective -- we'll keep finding more gaps (like this and bug 309276).  We need
to block access to what we don't want the script accessing.
See also bug 309267, "Consider using a whitelist of allowed JavaScript
properties and methods for mailnews".
Summary: XPath can be used to determine text of mail message → XPath can be used to determine text of mail message (wiretap)
Not sure how to rate this since javascript is off by default in mail. If it's not in Thunderbird maybe this should be moved to the Mozilla Application Suite product
Whiteboard: [sg:low?]
Product: Core → MailNews Core
Fixed by bug 374577.
Group: core-security
Depends on: 374577
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: