Bug 423541 (CVE-2008-2805)

Arbitrary file upload via originalTarget and DOM Range

VERIFIED FIXED

Status

()

Core
DOM: Core & HTML
P2
major
VERIFIED FIXED
9 years ago
9 years ago

People

(Reporter: Samuel Sidler (old account; do not CC), Assigned: smaug)

Tracking

({testcase, verified1.8.1.15})

1.8 Branch
testcase, verified1.8.1.15
Points:
---
Bug Flags:
blocking1.9 -
blocking1.8.1.15 +
blocking1.8.0.next +
in-testsuite ?

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [sg:high])

Attachments

(1 attachment)

Created attachment 310115 [details]
Testcase

As reported to security@ by Opera:

While investigating potential file upload issues, one of our security
researchers came across another vulnerability in Firefox.  This is
unrelated to the issues that we have previously reported to you.
Attached.  Exploiting the issue only requires one click (anywhere in the
page), and one keypress (a-z, 0-9...any typed character works, although
ctrl/shift/backspace/etc don't work).


Filing in DOM:HTML since that's where bug 413135 was filed.
Flags: blocking1.9?
Flags: blocking1.8.1.14?
(Assignee)

Comment 1

9 years ago
Jst, could we add a check to nsDOMClassInfo: if cx doesn't have system principal
and .originalTarget is in native anonymous then return .target as 
.originalTarget.
Could we not do that in the originalTarget getter implementation instead? 
(Assignee)

Comment 3

9 years ago
But some native code which runs when there is content cx in stack may need
the right originalTarget.
Then such code should push null on the JS context stack while calling code that depend on the context stack.
Can we get a security rating on this? 
Does this really work on trunk? Getting references to the internal objects really shouldn't be able to get you anywhere on trunk.
Flags: blocking1.9? → blocking1.9+
Priority: -- → P2
(Assignee)

Comment 7

9 years ago
I can't reproduce this on trunk, but can on 1.8.
Samuel, you added the blocking1.9? Can you reproduce this on trunk?
Based on previous comment removing blocking.

*Definitely* renominate if this can be reproduced on trunk though!
Flags: blocking1.9+ → blocking1.9-
(In reply to comment #7)
> Samuel, you added the blocking1.9? Can you reproduce this on trunk?

Apologies. That was a kneejerk reaction. I can't reproduce on trunk.
Version: Trunk → 1.8 Branch
Flags: blocking1.8.1.15? → blocking1.8.1.15+
Whiteboard: [sg:high]
-> Olli since he fixed bug 413135.
Assignee: nobody → Olli.Pettay
(Assignee)

Updated

9 years ago
Status: NEW → ASSIGNED
(Assignee)

Comment 11

9 years ago
Created attachment 319352 [details] [diff] [review]
possible patch

I'll do still some testing but I think this might be good enough.
(Assignee)

Comment 12

9 years ago
Comment on attachment 319352 [details] [diff] [review]
possible patch

I can't think any easier way to fix this. event.originalTarget isn't the only way to get access to native anon content.

I know it sucks to put nsContentUtils::IsCallerTrustedForCapability("UniversalFileRead") to nsRange, but are there any other options?
Attachment #319352 - Flags: review?(jst)
Flags: in-testsuite?
Comment on attachment 319352 [details] [diff] [review]
possible patch

Seems reasonable for branch to me.
Attachment #319352 - Flags: review?(jst) → review+
(Assignee)

Updated

9 years ago
Attachment #319352 - Flags: superreview?(jonas)
(Assignee)

Comment 14

9 years ago
Jonas, could you perhaps sr this?
Attachment #319352 - Flags: superreview?(jonas) → superreview+
(Assignee)

Updated

9 years ago
Attachment #319352 - Flags: approval1.8.1.15?
Comment on attachment 319352 [details] [diff] [review]
possible patch

Approved for 1.8.1.15, a=dveditz for release-drivers
Attachment #319352 - Flags: approval1.8.1.15? → approval1.8.1.15+
(Assignee)

Updated

9 years ago
Status: ASSIGNED → RESOLVED
Last Resolved: 9 years ago
Resolution: --- → FIXED
(Reporter)

Updated

9 years ago
Keywords: fixed1.8.1.15
Verified for 1.8.1.15 with Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.8.1.15pre) Gecko/2008061004 BonEcho/2.0.0.15pre.
Keywords: fixed1.8.1.15 → verified1.8.1.15
Status: RESOLVED → VERIFIED
Alias: CVE-2008-2805
Group: security

Updated

9 years ago
Component: DOM: HTML → DOM: Core & HTML

Comment 17

9 years ago
Comment on attachment 319352 [details] [diff] [review]
possible patch

a=asac for 1.8.0
Attachment #319352 - Flags: approval1.8.0.next+

Updated

9 years ago
Flags: blocking1.8.0.next+
You need to log in before you can comment on or make changes to this bug.