Closed Bug 397271 Opened 18 years ago Closed 17 years ago

On windows programs can be launched with ; as separation

Categories

(Firefox :: General, defect)

Product:
Firefox
Component:
General
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: BijuMailList, Unassigned)

Details

I dont know anybody can do anything bad with this From C:\> I can make Firefox download explorer.exe by running firefox.exe;a/../windows/explorer.exe or firefox.exe;a\..\windows\explorer.exe So I am wondering combined with other plugin Vulnerability (bug 395942 Quick time flow or Adobe PDF Vulnerability) Can somebody make it dangerous Step to mimic "Adobe PDF Vulnerability POC" at http://www.youtube.com/watch?v=R_mv49Sdeok 1. In openoffice Writer create new document 2. create a link with file:///C:/path_to_firefox/firefox.exe 3. Export as PDF 4. Open the PDF 5. Click the link it will launch firefox.exe I tried URL "firefox.exe -chrome http://google.com" I did not work With openoffice I can not produce PDF with ";" or space in url What is somebody edit PDF with a binary editor to make ";"
I don't understand what the bug is here or why it might be a security hole.
First all this is a Adobe bug and same as QuickTime issue in bug 395942 They fixed it by showing a prompt [Allow] or [Block]. Still we have two issues... 1. I feel PDF content from a website should not allow launch file:// urls. For security reason Firefox dont allow user to navigate to any local/network drive files from a internet/intranet website. This can be used to jump around that hurdle. Or even to execute an exe file or script from network drive. remember a PDF file can be displayed inside an IFRAME (need to use file:// instead of file:///) 2. In future moziila(or somebody) will make firefox-cli.exe (Bug 396196) Then there may be a possibility of passing chrome/js/data URLs
Tested same issue on Openoffice document. (OOo 2.3.1) Writer launch any thing with a ctrl+click Impress while playing as slide show dont hesitate launch even an exe with just a click. I have not used the ODF plugin for firefox, so I dont know exact behavior when displayed in ODF plugin
We can't do anything about desktop applications launching Firefox. We also can't really control or prevent plugins from making network requests since not everything has to go through NPAPI (and even for the ones that do we don't have any knowledge of the security context of a given request). Each plugin is independently responsible for enforcing security. Its possible that we could provide an NPAPI sanity checker to help plugins consistently determine what action should be taken for a given request, but this would take a lot of work and its not clear the benefit would be that significant (plugins would have to opt-in to use it, and since plugins can attempt types of network operations that Firefox doesn't really support anyway).
Whiteboard: [sg:needinfo]
so what should we do with this bug? I still see issue in comment #4 on beta version of OOo 3. Is mozilla talking to OOo developers about it ?
Closing because this is outside Firefox's control. We're not in contact with OOo devs, but it looks like you tried at http://www.openoffice.org/issues/show_bug.cgi?id=85416 On the assumption their closing the bug means they got the message and are handling it internally I'll keep comment 4 private, but if they aren't responding we can go ahead and open that up here.
Group: core-security
Status: NEW → RESOLVED
Closed: 17 years ago
Resolution: --- → INVALID
Whiteboard: [sg:needinfo]
You need to log in before you can comment on or make changes to this bug.