"Save as complete" gives access to content from other domains

NEW
Unassigned

Status

()

Core
Serializers
P3
normal
12 years ago
a month ago

People

(Reporter: Jesse Ruderman, Unassigned)

Tracking

({csectype-disclosure, sec-moderate})

Trunk
PowerPC
Mac OS X
csectype-disclosure, sec-moderate
Points:
---
Bug Flags:
blocking1.9 -
wanted1.9 +

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [sg:moderate] Saved pages can see any page user has access to)

(Reporter)

Description

12 years ago
Doing "save as complete" on a page from domain A also saves any referenced content from domain B.  (If the page on B is included using bogus <script> tag, its source is saved; if it's included using an <iframe> tag, its DOM is serialized and that is saved.)  When you load the saved page from A, it can access the content of the saved page from B.

This bug could be used to steal intranet data or sensitive information from your accounts on many types of sites.  For example, an attacker's site might reference the URL for a security-sensitive bug report.  If a member of the security group saved an attacker's page and then loaded it, the attacker would be able to see the bug report.

See also bug 230606.  A simple fix for bug 230606 would fix this bug, but would break some legitimate multi-framed, scripted pages when they are saved.  A fix for bug 230606 that automatically grouped "foo.html" with the folder "foo_files" would not fix this bug.
(Reporter)

Comment 1

12 years ago
[sg:moderate] because:

* Exploiting this requires an attacker to get a user to save the attacker's page (in contrast to bug 230606, which can be exploited in many ways).

* This can be used to read data from intranet sites / user accounts, and could be used in CSRF attacks (since it could reveal formkeys), but it can't be used for XSS.
Whiteboard: [sg:moderate] Saved pages can see pages user has access to
(Reporter)

Updated

12 years ago
Whiteboard: [sg:moderate] Saved pages can see pages user has access to → [sg:moderate] Saved pages can see any page user has access to
(Reporter)

Comment 2

11 years ago
Related to bug 395752?
why is component 'text to dom' - <img src=''> works fine
Flags: blocking1.9?
Talked dveditz about this. Not sure what we really can do here unfortunately.
Flags: wanted1.9+
Flags: blocking1.9?
Flags: blocking1.9-
Not going to keep this bug closed any longer, and not sure what we can do about this problem either, short of replacing Save As Complete with an entirely new feature in Firefox where we can track the origin of different pieces of a webpage etc.
Group: core-security
(Reporter)

Updated

5 years ago
Keywords: csec-disclosure
(Reporter)

Comment 6

2 years ago
We should try to coordinate a fix with Google Chrome, which has a similar "save as complete" feature. (I assume they don't have a mitigation in place either?)
(Reporter)

Comment 7

2 years ago
"Save as complete" should probably store metadata that browsers can use to recover information about each file's origin. One way would be to use a special subfolder named "other_origins":

    foo.html
    foo_files/
        other_origins/
            bugzilla.mozilla.org/
                 bug_332676.html

Supporting browsers would know that everything under "other_origins/bugzilla.mozilla.org" should be treated as its own origin (not equivalent to foo.html or to the real bugzilla.mozilla.org). Other browsers would still be able to view the saved file, but less safely.
Chrome considers each separate file loaded from file:// as different-origin from every other file loaded from file://.

Microsoft has a policy more similar out ours though.
(Reporter)

Comment 9

2 years ago
Let's do what Chrome does, then.
Duplicate of this bug: 1279126

Updated

2 months ago
Priority: -- → P3
Duplicate of this bug: 1415636
You need to log in before you can comment on or make changes to this bug.