Closed
Bug 309258
Opened 20 years ago
Closed 14 years ago
XPath can be used to determine text of mail message (wiretap)
Categories
(MailNews Core :: Security, defect)
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: jruderman, Unassigned)
References
Details
(Keywords: testcase, Whiteboard: [sg:low?])
Attachments
(1 file)
|
977 bytes,
text/html
|
Details |
XPath lets you search the document for text nodes containing a given string.
This is sufficient to determine the rough content of a message through repeated
searches, something we try to prevent (see bug 66938).
|
Reporter | |
Comment 1•20 years ago
|
||
You can play with the demo in Firefox, but it's more interesting if you send it
to yourself by email and open it using SeaMonkey.
I tested with SeaMonkey 1.0a and Thunderbird 1.5 Beta 1. SeaMonkey is
vulnerable. Thunderbird 1.5 Beta 1 is not vulnerable because XPath is not
compiled (?). I didn't test older versions.
This testcase isn't very efficient. I think it can be made more efficient, and
maybe even more direct by using different XPath features.
What's special about XPath? It looks like this example depends on script being
enabled and having access to the DOM document object. Given that, why not just
walk the DOM structures? What does this provide that that doesn't?
|
|
Reporter | |
Comment 3•20 years ago
|
||
Many things are disabled, including textnode.data and anything.innerHTML. See
http://lxr.mozilla.org/mozilla/source/modules/libpref/src/init/all.js#285.
That seems like a rather odd security model, and one that many people don't know
about. Blocking things piece-by-piece doesn't seem like it's going to be
effective -- we'll keep finding more gaps (like this and bug 309276). We need
to block access to what we don't want the script accessing.
|
|
Reporter | |
Comment 5•20 years ago
|
||
See also bug 309267, "Consider using a whitelist of allowed JavaScript
properties and methods for mailnews".
|
|
Reporter | |
Updated•20 years ago
|
Summary: XPath can be used to determine text of mail message → XPath can be used to determine text of mail message (wiretap)
|
||
Comment 6•19 years ago
|
||
Not sure how to rate this since javascript is off by default in mail. If it's not in Thunderbird maybe this should be moved to the Mozilla Application Suite product
Whiteboard: [sg:low?]
|
Assignee | |
Updated•17 years ago
|
Product: Core → MailNews Core
|
||
Updated•14 years ago
|
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•