Open Bug 330070 Opened 20 years ago Updated 3 years ago

Investigate mail URLs for abusable actions

Categories

(MailNews Core :: Networking, defect)

Product:
MailNews Core
Component:
Networking
Type:
defect

Tracking

(blocking-thunderbird3.1 -)

Tracking Flags:
Tracking Status
blocking-thunderbird3.1 --- -

People

(Reporter: dveditz, Unassigned)

Details

(Keywords: sec-audit)

Attachments

(1 file)

imapuris local folder
1.73 KB, text/plain
Details
Spun off from bug 328454 comment 7. Can mail urls like mailbox, imap, pop embed actions that an attacker could use to do things on the user's behalf. We need to distinguish between URLs that we have added to the message to fetch additional fragments or whatever, and URLs that were in the message when we received it.
Whiteboard: [sg:investigate]
at least imap uris seem to cause problems. it is possible imap message to load another message in iframe if the message id, username and imap server are known. this is unpleasant in an intranet, when most of the above is known. the recent nested iframe bug allows getting the username and the server unless i am wrong. i suspect problems if javascript is enabled in mailnews, investigation later. once upon a time, it was possible to abuse imap uris to create folders (though iirc this abuse was definitely fixed) can someon give the format for folder creation if still possible? tested on bird 1.5 and seamonkey latest trunk. testcase that needs modification to follow.
Attached file imapuris local folder
instructions later
instructions for the imap uris local folder: 1. save the attachment as a local folder. 2. copy the message "imap message - get imap uri" in it on an imap server 3. open the message titled "imap message - get imap uri" from the server 4. check javascript console for a css error and copy the imap uri - starting with imap:// 5. edit the message "fetching imap message" and set the <iframe src="RESULT_OF_STEP4" - you may edit it in the local folder 6. copy the message "fetching imap message" on the imap server and then open it. if the iframe shows the other message, obviously it is loaded.
on seamonkey mail managed to do the following: print preview executes javascript, which opens imap://luser@host/msg1 in a browser window. if msg1 contains plain javascript, it gets executed in the browser window and the title of alert() shows "imap://host". but msg1 can't access the content of other imap:// messages, though it can load them in iframe/window.open().
Product: Core → MailNews Core
blocking-thunderbird3.1: --- → ?
Whiteboard: [sg:investigate] → [sg:want P4]
It's not obvious to me what the likely-case exploit of the thing georgi described is that doesn't require the user to hand-edit a bunch of stuff. The ones that do spring to my mind aren't very severe at all, particularly since we no longer enable JS for messages at all. Doing a more general investigation as per comment 0 would be great, but I don't think it can really block 3.1. Based on that, marking as blocking- for now. Jesse, if you're aware of some particularly severe way to exploit this, please describe it in detail and renominate. Thanks!
blocking-thunderbird3.1: ? → -
yes, it's impossible to do js in a mail message now, which does seem to make this not particularly exploitable. And we block remote content by default as well.
Opening up based on comments 5 and 6.
Group: core-security
Assignee: mozilla → nobody
Keywords: sec-want
QA Contact: mscott
Removing myslef on all the bugs I'm cced on. Please NI me if you need something on MailNews Core bugs from me.
If this is TB only, should we clear our sec flags?
Flags: needinfo?(dveditz)
Several projects share the keywords (e.g. Mozilla websites) and there are still folks working on Thunderbird. Just don't include mailnews in your queries.
Flags: needinfo?(dveditz)
Keywords: sec-wantsec-audit
Keywords: sec-want
Whiteboard: [sg:want P4]
Keywords: sec-want
Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: