If you think a bug might affect users in the 57 release, please set the correct tracking and status flags for Release Management.

messing with chrome xbl

UNCONFIRMED
Unassigned

Status

()

Core
General
UNCONFIRMED
12 years ago
9 years ago

People

(Reporter: georgi - hopefully not receiving bugspam, Unassigned)

Tracking

(Blocks: 1 bug)

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(2 attachments)

User-Agent:       Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9a1) Gecko/20051129 Firefox/1.6a1
Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9a1) Gecko/20051129 Firefox/1.6a1

it is possible to inject js in chrome xbl via textbox.xml/setTimeout.
it is done by redefining _fireCommand on textbox of time "timed".

the js seems to get executed with luser's privilege, but when trying to do
privileged stuff, the exception in the js console is:

JavaScript error: , line 0: uncaught exception: [Exception... "Security error"  code: "1000" nsresult: "0x805303e8 (NS_ERROR_DOM_SECURITY_ERR)"  location: "chrome://global/content/bindings/textbox.xml Line: 190"]

this may be a potential problem, but may be also invalid.

----xul----    
<textbox type="timed" cols="80" rows="200" name="vvvv" timeout="1000" id="t1"></textbox>

<script type="application/x-javascript">
<![CDATA[
function f()
{
var tb=document.getElementById("t1");
tb._fireCommand="openDialog()";
}
setTimeout("f()",1000);
]]>
</script>
	<description flex="1">

	Type something into the box and check for exception in the js console.

	</description>

----xul-----

Reproducible: Always
Created attachment 205039 [details]
testcase

testcase
Created attachment 205040 [details]
trying to steal bugzilla cookies, ignore

checking what cookies are accessible from bugzilla.mozilla.org
looks like malicous attachments may access all cookies from b.m.o, which eventually may be potentially used to access restricted bugs.

a potential solution is attachments to be served from a useless domain with virtual web server.
So given that XBL runs with page privileges, we're OK here.  If it did not, this binding would need some serious thought; adding blocking of bug 59701.

In my opinion this bug should not be security-sensitive so that people working on bug 59701 can see this.  If someone feels that the material in comment 2 and comment 3 means that this bug should stay security-sensitive (given that the bugzilla bugs on that issue are, I can see people feeling that way), then we should probably close this bug out and file a new open bug on on the real issue at hand.
Blocks: 59701
question:

in  content/xbl/src/nsXBLBinding.cpp nsXBLBinding::DoInitJSClass

 // Make a new object prototyped by parent_proto and parented by global.
    proto = ::JS_InitClass(cx,                  // context
                           global, 

i would like to try to get this "global" object via js.

can someone provide a testcase for this (probably involving __parent__) because i couldn't do it.
That global is the inner of the window object (that is, it's the global object for the document in which the element the binding is being attached to lives).  You can just walk the __parent__ chain on the bound node to get to that global.
(In reply to comment #7)
> That global is the inner of the window object (that is, it's the global object
> for the document in which the element the binding is being attached to lives). 
> You can just walk the __parent__ chain on the bound node to get to that global.

But the __parent__ getter censors the inner object, returning the outer for it.

/be
another question:

can someone please tell me the codepath for this:

<script>
alert(window.QueryInterface(Components.interfaces.nsISupportsWeakReference).GetWeakReference());
</script>

QueryInterfaces passes, returning window object, but then something throws a js exception.

Comment 10

12 years ago
You need UniversalXPConnect permissions to use weak references.
(In reply to comment #10)
> You need UniversalXPConnect permissions to use weak references.
> 

i was interested in which methods get invoked by this example.
Whiteboard: [sg:nse]

Comment 12

12 years ago
is this bug attacking firefox xbl, toolkit xbl, or some gecko core module? if any of the latter, could we please move it?
(In reply to comment #12)
> is this bug attacking firefox xbl, toolkit xbl, or some gecko core module? if
> any of the latter, could we please move it?
> 

i am not sure it is a real attack, so the bug may be invalid.
tb._fireCommand="var er=new Error();alert('Error.stack='+er.stack)";

gives interesting stack.

on 1.5:
Error()@0
@chrome://global/...

on trunk:
Error()@0
@0







Created attachment 233050 [details]
new Error().stack

Updated

11 years ago
Whiteboard: [sg:nse] → [sg:nse] comment 3 reveals bug 38862
Does anyone object to hiding comments 2 and 3, and then opening this bug, now that we have the ability to hide comments?
(In reply to comment #16)
> Does anyone object to hiding comments 2 and 3, and then opening this bug, now
> that we have the ability to hide comments?
> 

i don't object. just for the record comment 2 and comment 3 are mine according to bugmail.
No objection.

Gerv
Group: security
Component: General → General
OS: Linux → All
Product: Firefox → Core
QA Contact: general → general
Hardware: PC → All
Whiteboard: [sg:nse] comment 3 reveals bug 38862
You need to log in before you can comment on or make changes to this bug.