Last Comment Bug 415496 - bad userpass URL parsing leads to addon install spoofing
: bad userpass URL parsing leads to addon install spoofing
[sg:dupe 415034]
: verified1.8.1.13
Product: Core
Classification: Components
Component: Networking (show other bugs)
: unspecified
: All All
P2 normal (vote)
: ---
Assigned To: Daniel Veditz [:dveditz]
: Patrick McManus [:mcmanus]
Depends on: 415034
  Show dependency treegraph
Reported: 2008-02-03 18:07 PST by Daniel Veditz [:dveditz]
Modified: 2008-03-25 21:25 PDT (History)
7 users (show)
mtschrep: blocking1.9+
dveditz: blocking1.8.1.13+
dveditz: wanted1.8.1.x+
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Description User image Daniel Veditz [:dveditz] 2008-02-03 18:07:10 PST
This is an alternate exploit for the nsStandardURL User:pass parsing bug described in bug 415034 and 415401. The fix will be the same, but it's a completely unrelated testcase/exploit.

1) load  (because it's whitelisted)
2) enter the URI

An install confirmation dialog comes up. Due to this bug it shows the "test" package as coming from "". (Note: any actual install will fail as it's a fake path, that's besides the point for this test). It looks like this is just a display URI, so if it had been a real path the install would still work -- in other words you could

To exploit this the trigger would have to be run on a whitelisted site, or convince the user to paste the URL into the addressbar and not notice the evil site. You can't prevent the install confirmation dialog from coming up, but if you can convince the user that the content comes from a good source that's just as good, right? What about sourcing the package from

url = ""
InstallTrigger.install({"Google Toolbar": url});
Comment 2 User image Mike Schroepfer 2008-02-05 18:26:03 PST
DVeditz will you be able to fix this for b4?
Comment 3 User image Daniel Veditz [:dveditz] 2008-02-06 00:20:42 PST
The patch in bug 415034 fixes this
Comment 4 User image Daniel Veditz [:dveditz] 2008-02-22 05:01:04 PST
bug 415034 fixed on trunk
Comment 5 User image Daniel Veditz [:dveditz] 2008-03-03 12:41:16 PST
Fix checked into 1.8 branch
Comment 6 User image Al Billings [:abillings] 2008-03-13 17:02:07 PDT
Verified in Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv: Gecko/2008031114 Firefox/

Note You need to log in before you can comment on or make changes to this bug.