Closed Bug 333394 Opened 19 years ago Closed 19 years ago

[1.0.8] "Set as wallpaper" arbitrary execution using <object> src property

Categories

(Core :: Security, defect)

Product:
Core
Component:
Security
Version:
1.7 Branch
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: dveditz, Assigned: Gavin)

Details

(Keywords: fixed-aviary1.0.8, Whiteboard: [sg:critical] aviary1.0 branch only)

Attachments

(1 file, 2 obsolete files)

patch from bug 333305
1.87 KB, patch
Details | Diff | Splinter Review
Spun off from bug 333305, see bug 333305 comment 8 and testcase in attachment 217800 [details] (full credit to moz_bug_r_a4 here). The regression bug 333305 didn't introduce this security hole, the security hole exists in firefox 1.0.7 and presumably mozilla 1.7.12. The regressions from the fix for bug 293527 had the side-effect of "fixing" this security hole, but as we've fixed those regressions the original broken state was restored. This is a variant on bug 292737, using an image <object> with a spoofed content-supplied .src property to get around the fix in that bug. In 1.8 this exploit is prevented by "shared wrappers" which will not let chrome access the content-defined .src property.
Flags: blocking1.7.13+
Flags: blocking-aviary1.0.8+
Summary: "Set as wallpaper" arbitrary execution using <object> (aviary/moz1.7 branch) → "Set as wallpaper" arbitrary execution using <object> src property
Whiteboard: [sg:critical] aviary1.0/moz1.7 branch only
(In reply to comment #0) > the security hole exists in firefox 1.0.7 and presumably mozilla 1.7.12. Mozilla suite is not affected by "Set As Wallpaper" attack, since Mozilla suite does not use "setWallpaper.xul". http://lxr.mozilla.org/mozilla1.7/source/xpfe/communicator/resources/content/nsContextMenu.js#615
Attached patch make <object> work as wallpaper (obsolete) — Splinter Review
Attached patch prevent <object> wallpaper (obsolete) — Splinter Review
Alternate patches, both prevent this problem. This second patch simply bails out for <object> images -- prevents the exploit, and no loss of functionality since bugs prevented them from being used as wallpaper anyway. The first patch reads the correct data attribute for <object> images. This also stops the exploit, but adds functionality over 1.0.7 (though intended functionality).
This was given r+sr+a and landed as part of bug 333305, attaching here for reference.
Assignee: dveditz → gavin.sharp
Attachment #217818 - Attachment is obsolete: true
Attachment #217819 - Attachment is obsolete: true
Status: NEW → ASSIGNED
Status: ASSIGNED → RESOLVED
Closed: 19 years ago
Flags: blocking1.7.13+
Keywords: fixed-aviary1.0.8
Resolution: --- → FIXED
Whiteboard: [sg:critical] aviary1.0/moz1.7 branch only → [sg:critical] aviary1.0 branch only
Group: security
Summary: "Set as wallpaper" arbitrary execution using <object> src property → [1.0.8] "Set as wallpaper" arbitrary execution using <object> src property
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: