Closed Bug 329583 Opened 19 years ago Closed 19 years ago

Sidebar View Image xss

Categories

(Firefox :: General, defect)

Product:
Firefox
Component:
General
Version:
1.5.0.x Branch
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: pvnick, Unassigned)

References

Details

(Keywords: fixed1.8.1, verified1.8.0.4, Whiteboard: [sg:high] fixed by 329521)

Attachments

(1 file, 1 obsolete file)

testcase
410 bytes, text/html
Details
Right-clicking a javascript: image on a page in the sidebar and pressing View Image will execute the script in the context of the content window.
Attached file testcase
See also bug 281490, "Many menu items in sidebar context menu don't work". For a more effective exploit: * Show a cut-off porn image in the sidebar. * Tile broken javascript: images with low opacity over the image. * Use some kind of visual distraction to disguise the sidebar splitter. * Pick an empty, small, or at least logo-free page on the XSS-victim site. (e.g. robots.txt, a stylesheet, or a small image.) I think that exploit would work against enough users and against enough sites to warrant [sg:high]. I can't reproduce in a 2006-02-22 trunk build.
Whiteboard: [sg:high]
Maybe this would be fixed by the patch in bug 329521. I can't check it right now, because context menus in the sidebar are borked in my debug build.
Flags: blocking1.8.0.3?
Flags: blocking-firefox2+
Flags: blocking-aviary1.0.9?
Target Milestone: --- → Firefox 2 alpha2
Flags: blocking1.8.0.3? → blocking1.8.0.3+
So, we haven't reimplemented sidebar panels yet (nor is it clear in what form they'll return, assuming that they do). Knocking off Fx2 radar, please renominate if/when we add that functionality and this is exploitable in the new impl.
Flags: blocking-firefox2+
Target Milestone: Firefox 2 alpha2 → ---
Depends on: 329521
Whiteboard: [sg:high] → [sg:high] maybe fixed by 329521
Attached patch proposed patch (obsolete) — Splinter Review
Checks if the document containing the image is the same as that which will be redirected from. If they're different, javascript/data urls are blocked.
Comment on attachment 220585 [details] [diff] [review] proposed patch viewImage : function (e) { urlSecurityCheck( this.imageURL, this.docURL ); //If the image's ownerDocument is in a frame, disallow viewing a javascript image var w = getTopWin(); var b = w.document.getElementById("content"); if(!b.currentURI.equals(makeURI(this.target.ownerDocument.location))){ try { const secMan = Components.classes["@mozilla.org/scriptsecuritymanager;1"] .getService(Components.interfaces.nsIScriptSecurityManager); const nsIScriptSecMan = Components.interfaces.nsIScriptSecurityManager; secMan.checkLoadURI(w.document.getElementById("content").currentURI, makeURI(this.imageURL), nsIScriptSecMan.DISALLOW_SCRIPT_OR_DATA); openUILink( this.imageURL, e ); } catch(e) {} } else{ openUILink( this.imageURL, e ); } },
Attachment #220585 - Attachment is obsolete: true
apparently that's not how you upload patches :) i included the updated function source in a comment instead
This is indeed fixed by the patch in bug 329521
Status: NEW → RESOLVED
Closed: 19 years ago
Keywords: fixed1.8.0.4, fixed1.8.1
Resolution: --- → FIXED
verified with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.4) Gecko/20060508 Firefox/1.5.0.4
Keywords: fixed1.8.0.4verified1.8.0.4
Whiteboard: [sg:high] maybe fixed by 329521 → [sg:high] fixed by 329521
Group: security
Flags: in-litmus?
Litmus Triage Team: tomcat will cover the Litmus test case for this bug.
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: