Last Comment Bug 389257 - Cross-application scripting vulnerability in SeaMonkey
: Cross-application scripting vulnerability in SeaMonkey
: fixed-seamonkey1.1.4, fixed-seamonkey1.1.5
Product: SeaMonkey
Classification: Client Software
Component: Security (show other bugs)
: 1.8 Branch
: x86 Windows XP
-- critical (vote)
: ---
Assigned To:
Depends on: IDEF2595
  Show dependency treegraph
Reported: 2007-07-23 07:47 PDT by Thor Larholm
Modified: 2007-08-02 15:33 PDT (History)
10 users (show)
kairo: blocking‑seamonkey1.1.4+
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---

Branch patch (2.63 KB, patch)
2007-07-26 16:48 PDT,
jag-mozilla: superreview-
Details | Diff | Splinter Review
Simplified patch (2.47 KB, patch)
2007-07-27 13:28 PDT,
iann_bugzilla: review+
jag-mozilla: superreview+
kairo: approval‑seamonkey1.1.4+
kairo: approval‑seamonkey1.1.5+
Details | Diff | Splinter Review

Description User image Thor Larholm 2007-07-23 07:47:50 PDT
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv: Gecko/20070713 Firefox/
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv: Gecko/20070716 SeaMonkey/1.1.3

Firefox and Thunderbird included a command line argument called -osint which aims to prevent malicious argument injection through URL protocol handler abuse. 

SeaMonkey does not check the -osint argument. As such, it is possible to open the SeaMonkey suite from other browsers and specify arbitrary command line arguments, such as the -chrome argument.

The proof-of-concept exploit uses the mailto: URL protocol handler to open the Mail component of SeaMonkey.

This is similar to the vulnerability in

Reproducible: Always

Steps to Reproduce:
1. Close any running SeaMonkey.exe instances
2. Open in Internet Explorer
3. SeaMonkey shows the alert
Comment 1 User image Thor Larholm 2007-07-23 08:14:08 PDT
I didn't check the "security sensitive" flag on this report as it has already been detailed at

Comment 2 User image Daniel Veditz [:dveditz] 2007-07-23 12:37:43 PDT
Checking the flag is still good -- it sends extra mail about the bug and we can always uncheck it. I didn't see this bug until well after I saw your blog post and started alerting people.

-> mcsmurf per folks on #seamonkey
Comment 3 User image Bruno 'Aqualon' Escherl 2007-07-25 10:28:51 PDT
I tried to reproduce this with Gecko/20070716 SeaMonkey/1.1.3 and Windows XP SP2.

I closed SeaMonkey and opened above testcase in Internet Explorer 7. SeaMonkey started with a new mail compose window showing the following address: -chrome "javascript:alert(1)"

So the -chrome argument got part of the mail address.

I also tried the same from the command line, using seamonkey.exe -compose -chrome "javascript:alert(1)"

Now I got a mail compose window and the alert box. What was different, I wasn't able to close SeaMonkey. Clicking on close removed the mail compose window but the process remained.

In my registry HKCR\mailto\shell\command contains that entry


So I can't reproduce it with my system config.
Comment 4 User image Robert Kaiser 2007-07-26 05:01:16 PDT
I can confirm on my WinXP SP2 laptop that using the testcase in the URL of this bug in IE7, SeaMonkey 1.1.3 comes up with only a compose window with even the -chrome in the To: line. No javascript alert, no vulnerability detected.

Can someone test this with IE6, maybe it behaves differently in this case. Else, I'm tempted to claim that this bug does not exist in SeaMonkey 1.1.3 (branch).
Comment 5 User image Thor Larholm 2007-07-26 05:27:15 PDT
I have tested this with IE6 and SeaMonkey 1.1.3 on Windows XPSP2 and can confirm that I get the alert.
Comment 6 User image 2007-07-26 16:48:54 PDT
Created attachment 274081 [details] [diff] [review]
Branch patch
Comment 7 User image Chris Thomas (CTho) [formerly] 2007-07-26 18:00:14 PDT
Comment on attachment 274081 [details] [diff] [review]
Branch patch

I don't understand this.
Comment 8 User image jag (Peter Annema) 2007-07-27 04:35:17 PDT
Comment on attachment 274081 [details] [diff] [review]
Branch patch

Let's make this a bit simpler:

#ifdef XP_WIN32
if (argc > 1 && !strcmp(argv[1], "-osint")) {
  if (argc > 4 || argc > 2 && argv[2][0] != '-' && argv[2][0] != '/')
    return 1;

or as Neil suggested:

#ifdef XP_WIN32
if (argc > 4 && !strcmp(argv[1], "-osint")) 
  return 1;

since we only have to worry about those cases where we ourselves put -osint on the command line, so we know it'll be followed by a '-' or '/'.
Comment 9 User image 2007-07-27 13:28:53 PDT
Created attachment 274206 [details] [diff] [review]
Simplified patch

We can probably assume that -osint is only going to be passed by applications launching us via the registery entries so we don't have to do extensive checking but simply test that we're not seeing unexpected numbers of arguments.
Comment 10 User image Robert Kaiser 2007-08-01 13:51:24 PDT
Comment on attachment 274206 [details] [diff] [review]
Simplified patch

Once this has proper reviews (I hope this is very soon, we should really get 1.1.4 out the door), please check this in to both MOZILLA_1_8_BRANCH (1.1.5) and GECKO181_20070712_RELBRANCH (1.1.4)
Comment 11 User image Ian Neal 2007-08-02 13:58:11 PDT
Comment on attachment 274206 [details] [diff] [review]
Simplified patch

Comment 12 User image 2007-08-02 15:33:32 PDT
Fix checked in.

Note You need to log in before you can comment on or make changes to this bug.