Status

()

--
critical
RESOLVED FIXED
13 years ago
7 years ago

People

(Reporter: pvnick, Unassigned)

Tracking

({fixed1.8.1, verified1.8.0.4})

1.5.0.x Branch
x86
Windows XP
fixed1.8.1, verified1.8.0.4
Points:
---
Bug Flags:
blocking-aviary1.0.9 ?
blocking1.8.0.4 +
in-litmus ?

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [sg:high] fixed by 329521)

Attachments

(1 attachment, 1 obsolete attachment)

410 bytes, text/html
Details
(Reporter)

Description

13 years ago
Right-clicking a javascript: image on a page in the sidebar and pressing View Image will execute the script in the context of the content window.
(Reporter)

Comment 1

13 years ago
Created attachment 214281 [details]
testcase

Comment 2

13 years ago
See also bug 281490, "Many menu items in sidebar context menu don't work".

For a more effective exploit:
* Show a cut-off porn image in the sidebar.
* Tile broken javascript: images with low opacity over the image.
* Use some kind of visual distraction to disguise the sidebar splitter.
* Pick an empty, small, or at least logo-free page on the XSS-victim site.  (e.g. robots.txt, a stylesheet, or a small image.)

I think that exploit would work against enough users and against enough sites to warrant [sg:high].

I can't reproduce in a 2006-02-22 trunk build.
Whiteboard: [sg:high]
Maybe this would be fixed by the patch in bug 329521. I can't check it right now, because context menus in the sidebar are borked in my debug build.
Flags: blocking1.8.0.3?
Flags: blocking-firefox2+
Flags: blocking-aviary1.0.9?

Updated

13 years ago
Target Milestone: --- → Firefox 2 alpha2
Flags: blocking1.8.0.3? → blocking1.8.0.3+
So, we haven't reimplemented sidebar panels yet (nor is it clear in what form they'll return, assuming that they do).  Knocking off Fx2 radar, please renominate if/when we add that functionality and this is exploitable in the new impl.
Flags: blocking-firefox2+
Target Milestone: Firefox 2 alpha2 → ---
Depends on: 329521
Whiteboard: [sg:high] → [sg:high] maybe fixed by 329521
(Reporter)

Comment 5

13 years ago
Created attachment 220585 [details] [diff] [review]
proposed patch

Checks if the document containing the image is the same as that which will be redirected from. If they're different, javascript/data urls are blocked.
(Reporter)

Comment 6

13 years ago
Comment on attachment 220585 [details] [diff] [review]
proposed patch

    viewImage : function (e) {
        urlSecurityCheck( this.imageURL, this.docURL );
        //If the image's ownerDocument is in a frame, disallow viewing a javascript image
        var w = getTopWin();
	var b = w.document.getElementById("content");
        if(!b.currentURI.equals(makeURI(this.target.ownerDocument.location))){
            try {
              const secMan = Components.classes["@mozilla.org/scriptsecuritymanager;1"]
                             .getService(Components.interfaces.nsIScriptSecurityManager);
              const nsIScriptSecMan = Components.interfaces.nsIScriptSecurityManager;
              secMan.checkLoadURI(w.document.getElementById("content").currentURI, makeURI(this.imageURL),
                                  nsIScriptSecMan.DISALLOW_SCRIPT_OR_DATA);
              openUILink( this.imageURL, e );
            } catch(e) {}
        }
        else{
            openUILink( this.imageURL, e );
        }
    },
(Reporter)

Updated

13 years ago
Attachment #220585 - Attachment is obsolete: true
(Reporter)

Comment 7

13 years ago
apparently that's not how you upload patches :)
i included the updated function source in a comment instead
This is indeed fixed by the patch in bug 329521
Status: NEW → RESOLVED
Last Resolved: 13 years ago
Keywords: fixed1.8.0.4, fixed1.8.1
Resolution: --- → FIXED

Comment 9

12 years ago
verified with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.4) Gecko/20060508 Firefox/1.5.0.4
Keywords: fixed1.8.0.4 → verified1.8.0.4
Whiteboard: [sg:high] maybe fixed by 329521 → [sg:high] fixed by 329521
Group: security

Updated

11 years ago
Flags: in-litmus?
Litmus Triage Team: tomcat will cover the Litmus test case for this bug.
You need to log in before you can comment on or make changes to this bug.