Last Comment Bug 371375 - [FIX]Websites can test for URLs visited (pdp Firefox Cache Hack - Firefox History Hack redux)
: [FIX]Websites can test for URLs visited (pdp Firefox Cache Hack - Firefox His...
Status: RESOLVED FIXED
: fixed1.8.0.12, fixed1.8.1.4, privacy
Product: Core
Classification: Components
Component: Security (show other bugs)
: 1.8 Branch
: All All
: -- minor (vote)
: ---
Assigned To: Boris Zbarsky [:bz]
:
Mentors:
http://www.gnucitizen.org/projects/hs...
Depends on: 936809
Blocks:
  Show dependency treegraph
 
Reported: 2007-02-23 06:59 PST by Ben Bucksch (:BenB)
Modified: 2013-11-09 10:47 PST (History)
12 users (show)
bzbarsky: in‑testsuite+
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
Fix (1.31 KB, patch)
2007-02-23 11:12 PST, Boris Zbarsky [:bz]
dveditz: review+
dveditz: superreview+
dveditz: approval1.8.1.4+
dveditz: approval1.8.0.12+
Details | Diff | Splinter Review
Regression test (2.95 KB, patch)
2007-02-23 11:30 PST, Boris Zbarsky [:bz]
no flags Details | Diff | Splinter Review

Description Ben Bucksch (:BenB) 2007-02-23 06:59:36 PST
Subject: Firefox Cache Hack - Firefox History Hack redux
From: "pdp (architect)" <pdp.gnucitizen@googlemail.com>
To: full-disclosure@lists.grok.org.uk, bugtraq@securityfocus.com,
	"WASC Forum" <websecurity@webappsec.org>
Date: Fri, 23 Feb 2007 12:32:29 +0000
Message-ID: <6905b1570702230432q5a0a5b7eq4839d709748f9b90@mail.gmail.com>


http://www.gnucitizen.org/projects/hscan-redux/

[...]

This vulnerability is not a reworked version of Jeremiah Grossman
history hack. It is completely different and it should be treated as a
new issue. The peculiar thing about this vulnerability is that it
tells you which URLs you have attended during the current browser
session (the last time you opened your browser). I am not sure how
useful this is.

Keep in mind that attackers can abuse this vulnerability in order to
extract valuable information about your browsing habits. They can also
use this hack to precisely detect whether you are logged into your
router management interface. They can use this hack to detect your
router type and version as well. Based on this information, they might
be able to compromise the integrity of your network.

The POC is located [... below]. If all checks show up as NOT visited, then visit one of the listed URLs and retest again.

http://www.gnucitizen.org/projects/hscan-redux/poc.htm
Comment 1 Ben Bucksch (:BenB) 2007-02-23 07:05:18 PST
It seems you can only test for specific URLs, not really getting the list. Compare bug 147777.
Comment 2 Boris Zbarsky [:bz] 2007-02-23 09:51:02 PST
So on trunk this doesn't work at all, because CheckLoadURI blocks the loads.  On branch, it doesn't because about: is a ChromeProtocol and <script> is allowed to load such on branch (because we want to allow loading of chrome:// scripts or something).

Now why the heck is about: a ChromeProtocol instead of a DenyProtocol?  It used to be the latter, but then the change to implement about:about in bug 56061 changed it.  The comments about the security implications of that change in that bug are completely bogus.  It allowed a heck of a lot more than chrome:// URIs to load about: URIs.  And more importantnly, chrome:// should already have the system principal, so on the 1.8 branch (where we use CheckLoadURIWithPrincipal in all the sane cases) we really don't need that change.
Comment 3 Boris Zbarsky [:bz] 2007-02-23 11:12:41 PST
Created attachment 256194 [details] [diff] [review]
Fix
Comment 4 Boris Zbarsky [:bz] 2007-02-23 11:30:45 PST
Created attachment 256196 [details] [diff] [review]
Regression test
Comment 5 kitchin 2007-02-23 12:05:46 PST
Why should <script> be able to load chrome:// ?
Comment 6 Boris Zbarsky [:bz] 2007-02-23 12:24:10 PST
Long story which doesn't really belong here.  See bug 292789.
Comment 7 Daniel Veditz [:dveditz] 2007-02-23 18:42:24 PST
Comment on attachment 256194 [details] [diff] [review]
Fix

r/sr=dveditz
Comment 8 Daniel Veditz [:dveditz] 2007-02-23 18:43:47 PST
Note that this means on-disk help pages can't link to things like about:license or about:credits.  Not worth opening privacy holes for, but prepare for complaints.
Comment 9 Boris Zbarsky [:bz] 2007-02-23 21:20:00 PST
Not sure why this was filed as a trunk bug, since the issue is branch-only.
Comment 10 Boris Zbarsky [:bz] 2007-02-23 21:29:59 PST
> Note that this means on-disk help pages 

Hmm... Are those something we ship?
Comment 11 Daniel Veditz [:dveditz] 2007-02-24 22:28:15 PST
we (Mozilla) don't, no, but some distros/OEMs might. But then, I'm not sure they're linking to about: anything from there. Just thought I'd mention it in case it reminded someone of a similar use.
Comment 12 Daniel Veditz [:dveditz] 2007-03-16 15:05:44 PDT
Comment on attachment 256194 [details] [diff] [review]
Fix

approved for 1.8/1.8.0 branches, a=dveditz for drivers
Comment 13 Boris Zbarsky [:bz] 2007-03-28 13:26:00 PDT
Fixed on both branches, tests checked in.

Note You need to log in before you can comment on or make changes to this bug.