Closed Bug 439035 Opened 17 years ago Closed 17 years ago

Same-origin check in nsXMLHttpRequest::OnChannelRedirect() can be circumvented

Categories

(Core :: Security, defect)

Product:
Core
Component:
Security
Version:
1.8 Branch
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
VERIFIED FIXED

People

(Reporter: moz_bug_r_a4, Assigned: jst)

Details

(Keywords: testcase, verified1.8.1.15, verified1.8.1.16, Whiteboard: [sg:high xss])

Attachments

(1 file)

Fix per above comments.
2.25 KB, patch
sicking
: review+
sicking
: superreview+
dveditz
: approval1.8.1.15+
Details | Diff | Splinter Review
This is fx2-only. (On trunk, the same-origin check in question compares an old URI to a new URI.) The same-origin check in nsXMLHttpRequest::OnChannelRedirect() uses a principal of an associated JS context. It can be circumvented by loading a cross-origin page in that context before nsXMLHttpRequest::OnChannelRedirect() is called. By using this trick, an attacker can read contents and http headers of a target site. Upcoming testcase consists of an html and a cgi script, thus it does not work on bugzilla.mozilla.org. Please set up it in a suitable place.
Flags: blocking1.8.1.16?
Whiteboard: [sg:high xss]
Jonas, any reason not to just make fx2 do what trunk does here? I.e. just compare the URIs and not bother using the unreliable context pointer here?
Jonas can you work up the patch?
This fixes this bug, verified with local install of the testcase.
Assignee: jonas → jst
Status: NEW → ASSIGNED
Attachment #325799 - Flags: superreview?(jonas)
Attachment #325799 - Flags: review?(jonas)
Attachment #325799 - Flags: superreview?(jonas)
Attachment #325799 - Flags: superreview+
Attachment #325799 - Flags: review?(jonas)
Attachment #325799 - Flags: review+
Comment on attachment 325799 [details] [diff] [review] Fix per above comments. Not sure if we've decided to take more changes for 1.8.1.15, but if we did this would be a good candidate.
Attachment #325799 - Flags: approval1.8.1.15?
Flags: blocking1.8.1.15+
Flags: wanted1.8.1.x+
Flags: blocking1.8.1.16?
Flags: blocking1.8.1.16+
Comment on attachment 325799 [details] [diff] [review] Fix per above comments. Approved for 1.8.1.15 and 1.8.1.16, a=dveditz for release-drivers Please land on both branches (MOZILLA_1_8_BRANCH for 1.8.1.16 and GECKO181_20080612_RELBRANCH for 1.8.1.15) and give the bug both fixed1.8.1.15 and fixed1.8.1.16 keywords
Attachment #325799 - Flags: approval1.8.1.16+
Attachment #325799 - Flags: approval1.8.1.15?
Attachment #325799 - Flags: approval1.8.1.15+
Fix landed on both branches.
Status: ASSIGNED → RESOLVED
Closed: 17 years ago
Keywords: fixed1.8.1.15, fixed1.8.1.16
Resolution: --- → FIXED
Verified the bug with Firefox 2.0.0.14 and the fix with the final 2.0.0.15 build (Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.8.1.15) Gecko/2008062305 Firefox/2.0.0.15).
Status: RESOLVED → VERIFIED
Keywords: fixed1.8.1.15verified1.8.1.15
Group: security
I've verified this, again, with : Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.8.1.16) Gecko/2008070205 Firefox/2.0.0.16. With 2.0.0.14, I get the data from mozilla.com in great detail. This does not happen in 2.0.0.16.
Keywords: fixed1.8.1.16verified1.8.1.16
Flags: blocking1.8.0.15+
Flags: blocking1.8.1.17+ → blocking1.8.1.16+
Comment on attachment 325799 [details] [diff] [review] Fix per above comments. This patch had approval for 1.8.1.16, but apparently the flags got moved out. Clearing that flag to clear the queries.
Attachment #325799 - Flags: approval1.8.1.17+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: