[mz2] iframes from other sites can be changed while pointing at about:blank




12 years ago
2 months ago


(Reporter: lcamtuf, Unassigned)



Dependency tree / graph
Bug Flags:
blocking1.9 -
blocking1.8.1.5 +
wanted1.8.1.x +
wanted1.8.0.x +

Firefox Tracking Flags

(Not tracked)


(Whiteboard: [sg:low spoof], )



12 years ago
Firefox seems to allow third parties to replace IFRAME data of unrelated webpages by enabling non-same-domain sites to perform:

  foo = open("","target_name");

Where "target_name" is established by being opener of the targeted window, or setting window name before the user navigated away from the attack site, or knowing name assigned by the attacked site (if any).

Now, although newly written IFRAME data will inherit its location and permission from the writing page (and thus won't be able to directly interact with page elements or read window.top.document.cookie), it will be able to pull a couple of nasty tricks, say:

1) Call window.focus() and use onkeydown handler to intercept user's keystrokes on that site.

2) Display offensive, misleading or dangerous contents on trusted sites (spoofed login prompts, etc).

3) Track user behavior, including precise timing of arrival and departure, based on presence of named IFRAMEs.

Visible IFRAMEs are often used to render nested contents (forum or blog posts, photos, advertisements, etc) on various pages; and hidden IFRAMEs are commonly employed for user tracking or pre-XMLHttpRequest browser-server communications. As such, a good number of sites is affected one way or another. 

In general, it sounds like a good idea to restrict document.write and other types of interaction with all types of frames based on creator's domain.
Component: Security → DOM
Product: Firefox → Core
QA Contact: firefox → general
Version: 2.0 Branch → unspecified

Comment 1

12 years ago
test case added
Last Resolved: 12 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 343168
(In reply to comment #2)
> *** This bug has been marked as a duplicate of bug 343168 ***

That bug is marked fixed1.8.1 - why does this testcase still "work" on branch 1.8 builds?

Comment 4

12 years ago
Jonas - good catch, but as Gavin pointed out, bug 343168 does not resolve this testcase. My initial description was vague, but this is a related, yet distinctive problem.

The problem you fixed there is that document.write() could be used to overwrite frames that originate from Internet-based SRC= pointing to non-same-domain site. This is fixed and throws a security exception.

Unfortunately, the check implemented means that about:blank frames can be overwritten freely; and unfortunately, *all* frames, even with Internet SRC= specified, will be vulnerable to a race condition while the document loads (see a modified version of bug 343168 testcase here):


You might want to rename this bug to include 'about:blank' in its title and reopen it. The only sane fix I see is to enforce frame policy based on frame parent's origin, too (will significantly limit exposure).
Flags: blocking1.9?
Resolution: DUPLICATE → ---
Summary: [mz2] promiscuous handling of IFRAMEs → [mz2] iframes from other sites can be changed while pointing at about:blank
Blake, can we special-case about:blank if the containing frame element is from another domain?

Comment 6

12 years ago
The race condition is bug 381300, "Frame spoofing is possible within a short time frame while the window is loading".  That bug also mentions the about:blank issue; I think the two issues are connected.

Comment 7

12 years ago
Yup, bug 381300 is far closer (you might want to check both testcases on trunk to confirm whether the about:blank fix implemented there would be sufficient).

Certainly the risk of 381300 is understated; spoofing is not the only attack possible (see cnn.com example).
Jonas, yeah, we could probably do that. We might need to deal with compat issues, though.

This bug only exists on the 1.8 branch, right? I believe that Boris implemented basically what Michal describes in the last paragraph of comment 4 in bug 332182.
> Unfortunately, the check implemented means that about:blank frames can be
> overwritten freely

Right.  Because we have to check that caller can access |this| as well, and anyone can access about:blank on branch.  Perhaps for about:blank documents on branch, we should skip the "caller can access |this|" part, or replace it with "caller is this document itself".  That _should_ be ok regression-wise.

And yes, there should be no problem with about:blank on trunk.  
Flags: blocking1.9?
Flags: blocking1.9-
Flags: blocking1.8.1.5?
Flags: blocking1.8.0.13?

Comment 10

12 years ago
This is a duplicate of Bug 381300


12 years ago
Last Resolved: 12 years ago12 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: CVE-2007-3089

Comment 12

12 years ago
publicly disclosed by Michal Zalewski to full-disclosure.
Group: security
CC list accessible: false
Not accessible to reporter
Whiteboard: [sg:low]
According to http://archives.neohapsis.com/archives/fulldisclosure/2007-06/0026.html
bug 381300 is "a less severe variant" -- in what way is it a different bug?
Whiteboard: [sg:low] → [sg:low spoof]

Comment 14

12 years ago
The underlying bug is very much the same. The reported attack scenario differs from this entry in two aspects: the initial report considered only a more benign opportunity (page element spoofing vs snooping on user input), and did not account for the possibility that persistent about:blank frames that do not require a race condition to occur (which is important when considering a proper fix; but that point is moot if you plan to backport a more comprehensive fix from trunk).

Otherwise, same old. That's all I wanted to say there.
Marking blocking so we remember to verify that a fix for bug 381300 really does fix this testcase as well.
Flags: blocking1.8.1.5? → blocking1.8.1.5+
fix for bug 381300 landed on the 1.8 branch
Keywords: fixed1.8.1.5
Not needed for Thunderbird, up to vendors if they want it for future Firefox 1.5 versions.
Flags: wanted1.8.1.x+
Flags: wanted1.8.0.x+
Flags: blocking1.8.0.13?
Component: DOM → DOM: Core & HTML
Product: Core → Core
You need to log in before you can comment on or make changes to this bug.