Closed
Bug 381300
(CVE-2007-3089)
Opened 18 years ago
Closed 18 years ago
Frame spoofing is possible within a short time frame while the window is loading.
Categories
(Core :: DOM: Core & HTML, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: ronen.zilberman, Assigned: jst)
References
Details
(Keywords: fixed1.8.0.15, fixed1.8.1.5, qawanted, Whiteboard: [sg:low spoof] 1.8-branch only)
Attachments
(3 files)
|
1.93 KB,
text/html
|
Details | |
|
58.24 KB,
patch
|
mrbkap
:
review+
jst
:
superreview+
dveditz
:
approval1.8.1.5+
|
Details | Diff | Splinter Review |
|
57.36 KB,
patch
|
caillon
:
approval1.8.0.next+
|
Details | Diff | Splinter Review |
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3
When opening a window from a script, it is possible to spoof the content of the newly opened window's frames within a short time frame, while the window is loading.
Because the exact time is non-constant and unknown, multiple attempt are carried out. The failed ones are silently discarded using a try catch block.
This is similar to Bug 343168.
Both the 'frames[x].document.open()' method (described in above bug) and a normal 'frames[x].document' method are shown to reliably produce the exploit.
Reproducible: Always
Steps to Reproduce:
See attached test case.
|
Reporter | |
Comment 1•18 years ago
|
||
|
||
Comment 2•18 years ago
|
||
I can reproduce this with a current branch build, but not on the trunk.
Component: Security → DOM
Whiteboard: [sg:low spoof]
|
||
Updated•18 years ago
|
Assignee: dveditz → jst
Status: UNCONFIRMED → NEW
Ever confirmed: true
Flags: wanted1.8.1.x+
Flags: wanted1.8.0.x+
Flags: blocking1.8.1.5?
Flags: blocking1.8.0.13?
Whiteboard: [sg:low spoof] → [sg:low spoof] 1.8-branch only?
Version: unspecified → 1.8 Branch
|
|
||
Updated•18 years ago
|
QA Contact: toolkit → ian
|
|
Reporter | |
Comment 3•18 years ago
|
||
It seems that the problem is this:
The frame's location is "about:blank" while it is being loaded, and it is during this time that it can be spoofed (after the parent document has been loaded, but before the framed document has been loaded).
|
|
||
Comment 4•18 years ago
|
||
This was fixed on the trunk by changing the way we treat about:blank
Whiteboard: [sg:low spoof] 1.8-branch only? → [sg:low spoof] 1.8-branch only
|
||
Comment 5•18 years ago
|
||
I wonder whether we could at least port part of that (e.g. the default principal for subframes)... Not sure how easy that would be.
|
||
Comment 7•18 years ago
|
||
publicly disclosed by Michal Zalewski to full-disclosure.
Group: security
CC list accessible: false
Not accessible to reporter
|
|
||
Comment 8•18 years ago
|
||
The trunk fix was in bug 332182. Looking at it now, it might not be impossible to merge to branch, if we're sure it doesn't break the web (which seems likely). Some of the code is sure to not apply, and we'd need to add interfaces instead of changing them, but it might be doable in general.... Unfortunately, I'm not going to be able to do it in the near future. :(
|
||
Comment 9•18 years ago
|
||
I think it's a critical vulnerability, do I? It's very dangerous if someone using this exploit to steal accounts..
I really appreciate if you can fix this since next branch build..
|
||
Comment 10•18 years ago
|
||
This bug got some publicity and one bank tells their users to 'stop using Firefox until it's fixed and switch to IE6'. http://www.multibank.pl/co_nowego/aktualnosci?_a=15793
|
|
||
Updated•18 years ago
|
Flags: blocking1.8.1.5?
Flags: blocking1.8.1.5+
Flags: blocking1.8.0.13?
Flags: blocking1.8.0.13+
|
||
Comment 11•18 years ago
|
||
It is gaining in publicity.
NIST's Vulnerability DB lists the CVSS Severity at a 10.0(High) http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-3089
All Fx users at my work got a message from our corp security team last week telling us to uninstall Fx immediately.
|
|
||
Comment 12•18 years ago
|
||
I've confirmed that this patch fixes the "exploit testcase" in this bug. I have NOT had a chance to do any other testing yet. In particular, I have not run it on the tests attached to bug 332182. It would be great if someone would, with all the various new-window pref settings (at the very least, with the settings to force all new windows into windows, tabs, and same rendering area).
Note that the tests can be run with jssh; I think we have some documentation on mozilla.org for that.
I'll try to get this also ported to the 1.8.0 branch.
Attachment #269025 -
Flags: superreview?(jst)
Attachment #269025 -
Flags: review?(mrbkap)
|
|
||
Comment 13•18 years ago
|
||
I should also note that if run under jssh the tests will do the different pref values automatically... So that's really the way to go, imo.
|
||
Comment 14•18 years ago
|
||
Works with all the testcases from bug 332182 here, on Firefox 2.0.0.4+patch.
|
|
||
Comment 15•18 years ago
|
||
I'm basically gone starting today for two weeks or so. jst or Blake, could you drive this in? I don't have the 1.8.0 port done (or even significantly started), unfortunately. :(
|
|
||
Updated•18 years ago
|
Whiteboard: [sg:low spoof] 1.8-branch only → [sg:low spoof] 1.8-branch only, need r=mrbkap, sr=jst
|
|
||
Comment 16•18 years ago
|
||
required to fix public exploit bug 382686
|
Assignee | |
Comment 17•18 years ago
|
||
Comment on attachment 269025 [details] [diff] [review]
Backport of fix for bug 325816 and bug 332182 to 1.8 branch
Looks good to me, sr=jst. I happened to spot one typo in surrounding code as I was reading through it, fix it if you want to:
- In nsDocShell::DoURILoad():
// XXX: Is seems wrong that the owner is ignored - even if one is
Attachment #269025 -
Flags: superreview?(jst) → superreview+
|
||
Comment 18•18 years ago
|
||
Comment on attachment 269025 [details] [diff] [review]
Backport of fix for bug 325816 and bug 332182 to 1.8 branch
*stamp*
Attachment #269025 -
Flags: review?(mrbkap) → review+
|
|
||
Comment 19•18 years ago
|
||
Comment on attachment 269025 [details] [diff] [review]
Backport of fix for bug 325816 and bug 332182 to 1.8 branch
Hoping for some last-minute approval love.
Attachment #269025 -
Flags: approval1.8.1.5?
|
|
||
Comment 20•18 years ago
|
||
Comment on attachment 269025 [details] [diff] [review]
Backport of fix for bug 325816 and bug 332182 to 1.8 branch
approved for 1.8.1.5, a=dveditz
Attachment #269025 -
Flags: approval1.8.1.5? → approval1.8.1.5+
|
|
||
Updated•18 years ago
|
|
|
||
Comment 21•18 years ago
|
||
Attachment #271902 -
Flags: approval1.8.0.13?
|
||
Comment 22•18 years ago
|
||
Please see bug 387979.
|
|
||
Updated•18 years ago
|
Alias: CVE-2007-3089
|
||
Comment 23•18 years ago
|
||
Verified using test cases in comment #1 on Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.5) Gecko/2007071317 Firefox/2.0.0.5. Also on Mac 2005rc2 build.
|
|
||
Updated•18 years ago
|
Depends on: CVE-2007-3844
|
|
||
Comment 24•18 years ago
|
||
In the interest of getting a Thunderbird 1.5.0.13 out ASAP to address the known problems, this spoofing bug will need to wait for 1.8.0.14 releases
Flags: blocking1.8.0.13+ → blocking1.8.0.14+
|
|
||
Updated•18 years ago
|
Attachment #271902 -
Flags: approval1.8.0.13? → approval1.8.0.14?
|
|
||
Comment 25•17 years ago
|
||
Not needed in a Thunderbird 1.8.0 release, still wanted for browsers
Flags: blocking1.8.0.15+
Flags: blocking1.8.0.14-
Flags: blocking1.8.0.14+
|
|
||
Updated•17 years ago
|
Attachment #271902 -
Flags: approval1.8.0.15?
|
||
Comment 26•17 years ago
|
||
Comment on attachment 271902 [details] [diff] [review]
1.8.0 branch patch
a=caillon for 1.8.0.15 (and clearing stale .14 request)
Attachment #271902 -
Flags: approval1.8.0.15?
Attachment #271902 -
Flags: approval1.8.0.15+
Attachment #271902 -
Flags: approval1.8.0.14?
|
|
||
Updated•17 years ago
|
Keywords: checkin-needed
Whiteboard: [sg:low spoof] 1.8-branch only, need r=mrbkap, sr=jst → [check in on 1.8.0. Bug 388121 MUST land with it][sg:low spoof] 1.8-branch only, need r=mrbkap, sr=jst
|
||
Comment 27•17 years ago
|
||
MOZILLA_1_8_0_BRANCH:
Checking in caps/src/nsPrincipal.cpp;
/cvsroot/mozilla/caps/src/nsPrincipal.cpp,v <-- nsPrincipal.cpp
new revision: 1.37.2.1.2.1; previous revision: 1.37.2.1
done
Checking in caps/src/nsScriptSecurityManager.cpp;
/cvsroot/mozilla/caps/src/nsScriptSecurityManager.cpp,v <-- nsScriptSecurityManager.cpp
new revision: 1.266.2.7.2.11; previous revision: 1.266.2.7.2.10
done
Checking in content/base/src/nsFrameLoader.cpp;
/cvsroot/mozilla/content/base/src/nsFrameLoader.cpp,v <-- nsFrameLoader.cpp
new revision: 1.53.6.1.4.2; previous revision: 1.53.6.1.4.1
done
Checking in content/base/src/nsDocument.h;
/cvsroot/mozilla/content/base/src/nsDocument.h,v <-- nsDocument.h
new revision: 3.264.2.3.2.5; previous revision: 3.264.2.3.2.4
done
Checking in content/base/src/nsDocument.cpp;
/cvsroot/mozilla/content/base/src/nsDocument.cpp,v <-- nsDocument.cpp
new revision: 3.566.2.6.2.17; previous revision: 3.566.2.6.2.16
done
Checking in docshell/base/nsDocShell.cpp;
/cvsroot/mozilla/docshell/base/nsDocShell.cpp,v <-- nsDocShell.cpp
new revision: 1.719.2.21.2.14; previous revision: 1.719.2.21.2.13
done
Checking in docshell/base/nsDocShell.h;
/cvsroot/mozilla/docshell/base/nsDocShell.h,v <-- nsDocShell.h
new revision: 1.186.2.3.2.2; previous revision: 1.186.2.3.2.1
done
Checking in dom/public/base/nsPIDOMWindow.h;
/cvsroot/mozilla/dom/public/base/nsPIDOMWindow.h,v <-- nsPIDOMWindow.h
new revision: 1.49.2.2.4.1; previous revision: 1.49.2.2
done
Checking in dom/src/base/nsGlobalWindow.cpp;
/cvsroot/mozilla/dom/src/base/nsGlobalWindow.cpp,v <-- nsGlobalWindow.cpp
new revision: 1.761.2.22.2.23; previous revision: 1.761.2.22.2.22
done
Checking in dom/src/base/nsGlobalWindow.h;
/cvsroot/mozilla/dom/src/base/nsGlobalWindow.h,v <-- nsGlobalWindow.h
new revision: 1.250.2.9.2.4; previous revision: 1.250.2.9.2.3
done
Checking in embedding/components/windowwatcher/src/Makefile.in;
/cvsroot/mozilla/embedding/components/windowwatcher/src/Makefile.in,v <-- Makefile.in
new revision: 1.26.26.1; previous revision: 1.26
done
Checking in embedding/components/windowwatcher/src/nsWindowWatcher.h;
/cvsroot/mozilla/embedding/components/windowwatcher/src/nsWindowWatcher.h,v <-- nsWindowWatcher.h
new revision: 1.21.8.1.4.2; previous revision: 1.21.8.1.4.1
done
Checking in embedding/components/windowwatcher/src/nsWindowWatcher.cpp;
/cvsroot/mozilla/embedding/components/windowwatcher/src/nsWindowWatcher.cpp,v <-- nsWindowWatcher.cpp
new revision: 1.100.2.5.2.4; previous revision: 1.100.2.5.2.3
done
Checking in dom/src/jsurl/nsJSProtocolHandler.cpp;
/cvsroot/mozilla/dom/src/jsurl/nsJSProtocolHandler.cpp,v <-- nsJSProtocolHandler.cpp
new revision: 1.113.2.2.2.5; previous revision: 1.113.2.2.2.4
done
Checking in content/html/document/src/nsHTMLDocument.cpp;
/cvsroot/mozilla/content/html/document/src/nsHTMLDocument.cpp,v <-- nsHTMLDocument.cpp
new revision: 3.615.2.10.2.17; previous revision: 3.615.2.10.2.16
done
Checking in content/base/public/nsIDocument.h;
/cvsroot/mozilla/content/base/public/nsIDocument.h,v <-- nsIDocument.h
new revision: 3.207.2.1.4.4; previous revision: 3.207.2.1.4.3
done
Keywords: checkin-needed → fixed1.8.0.15
Whiteboard: [check in on 1.8.0. Bug 388121 MUST land with it][sg:low spoof] 1.8-branch only, need r=mrbkap, sr=jst → [sg:low spoof] 1.8-branch only
|
||
Updated•6 years ago
|
Component: DOM → DOM: Core & HTML
You need to log in
before you can comment on or make changes to this bug.
Description
•