Closed
Bug 329583
Opened 19 years ago
Closed 19 years ago
Sidebar View Image xss
Categories
(Firefox :: General, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: pvnick, Unassigned)
References
Details
(Keywords: fixed1.8.1, verified1.8.0.4, Whiteboard: [sg:high] fixed by 329521)
Attachments
(1 file, 1 obsolete file)
410 bytes,
text/html
|
Details |
Right-clicking a javascript: image on a page in the sidebar and pressing View Image will execute the script in the context of the content window.
Reporter | ||
Comment 1•19 years ago
|
||
Comment 2•19 years ago
|
||
See also bug 281490, "Many menu items in sidebar context menu don't work".
For a more effective exploit:
* Show a cut-off porn image in the sidebar.
* Tile broken javascript: images with low opacity over the image.
* Use some kind of visual distraction to disguise the sidebar splitter.
* Pick an empty, small, or at least logo-free page on the XSS-victim site. (e.g. robots.txt, a stylesheet, or a small image.)
I think that exploit would work against enough users and against enough sites to warrant [sg:high].
I can't reproduce in a 2006-02-22 trunk build.
Whiteboard: [sg:high]
Comment 3•19 years ago
|
||
Maybe this would be fixed by the patch in bug 329521. I can't check it right now, because context menus in the sidebar are borked in my debug build.
Updated•19 years ago
|
Flags: blocking1.8.0.3?
Flags: blocking-firefox2+
Flags: blocking-aviary1.0.9?
Updated•19 years ago
|
Target Milestone: --- → Firefox 2 alpha2
Updated•19 years ago
|
Flags: blocking1.8.0.3? → blocking1.8.0.3+
Comment 4•19 years ago
|
||
So, we haven't reimplemented sidebar panels yet (nor is it clear in what form they'll return, assuming that they do). Knocking off Fx2 radar, please renominate if/when we add that functionality and this is exploitable in the new impl.
Flags: blocking-firefox2+
Target Milestone: Firefox 2 alpha2 → ---
Updated•19 years ago
|
Whiteboard: [sg:high] → [sg:high] maybe fixed by 329521
Reporter | ||
Comment 5•19 years ago
|
||
Checks if the document containing the image is the same as that which will be redirected from. If they're different, javascript/data urls are blocked.
Reporter | ||
Comment 6•19 years ago
|
||
Comment on attachment 220585 [details] [diff] [review]
proposed patch
viewImage : function (e) {
urlSecurityCheck( this.imageURL, this.docURL );
//If the image's ownerDocument is in a frame, disallow viewing a javascript image
var w = getTopWin();
var b = w.document.getElementById("content");
if(!b.currentURI.equals(makeURI(this.target.ownerDocument.location))){
try {
const secMan = Components.classes["@mozilla.org/scriptsecuritymanager;1"]
.getService(Components.interfaces.nsIScriptSecurityManager);
const nsIScriptSecMan = Components.interfaces.nsIScriptSecurityManager;
secMan.checkLoadURI(w.document.getElementById("content").currentURI, makeURI(this.imageURL),
nsIScriptSecMan.DISALLOW_SCRIPT_OR_DATA);
openUILink( this.imageURL, e );
} catch(e) {}
}
else{
openUILink( this.imageURL, e );
}
},
Reporter | ||
Updated•19 years ago
|
Attachment #220585 -
Attachment is obsolete: true
Reporter | ||
Comment 7•19 years ago
|
||
apparently that's not how you upload patches :)
i included the updated function source in a comment instead
Comment 8•19 years ago
|
||
This is indeed fixed by the patch in bug 329521
Comment 9•19 years ago
|
||
verified with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.4) Gecko/20060508 Firefox/1.5.0.4
Keywords: fixed1.8.0.4 → verified1.8.0.4
Updated•19 years ago
|
Whiteboard: [sg:high] maybe fixed by 329521 → [sg:high] fixed by 329521
Updated•17 years ago
|
Group: security
Updated•17 years ago
|
Flags: in-litmus?
Comment 10•17 years ago
|
||
Litmus Triage Team: tomcat will cover the Litmus test case for this bug.
You need to log in
before you can comment on or make changes to this bug.
Description
•