Bug 453526 (CVE-2008-5504)

Remaining attack vectors in feed preview on 1.8 branch

VERIFIED FIXED

Status

()

Firefox
RSS Discovery and Preview
P1
normal
VERIFIED FIXED
9 years ago
9 years ago

People

(Reporter: Gavin, Assigned: mano)

Tracking

({testcase, verified1.8.1.19})

2.0 Branch
testcase, verified1.8.1.19
Points:
---
Bug Flags:
blocking1.8.1.17 -
blocking1.8.1.18 -
blocking1.8.1.19 +
wanted1.8.1.x +
blocking1.8.0.next -
wanted1.8.0.x -

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [sg:critical])

Attachments

(1 attachment)

See bug 360529 comment 68 and bug 360529 comment 69.
Flags: blocking1.8.1.18?
Keywords: testcase
Flags: blocking1.8.1.18?
Flags: blocking1.8.1.18+
Flags: blocking1.8.1.17-
Summary: Remaining attack vectors in print preview on 1.8 branch → Remaining attack vectors in feed preview on 1.8 branch

Updated

9 years ago
Version: Trunk → 2.0 Branch
  -------  Comment #68 From  moz_bug_r_a4@yahoo.com   2008-09-03 05:11:44 PDT   
There are two oversight.  fx2.0.0.17 is still exploitable.

http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/browser/components/feeds/src/FeedWriter.js&rev=1.2.2.36&mark=635#623
This is exploitable.  I'll attach a testcase.

http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/browser/components/feeds/src/FeedWriter.js&rev=1.2.2.36&mark=404,406#397
I think this is unsafe.  But, I cannot create a testcase since I don't know a
way to execute this catch block.

------- Comment #69 From moz_bug_r_a4@yahoo.com 2008-09-03 05:14:55 PDT (-)

Created an attachment (id=336641) [attachment 336713 [details] in this bug --dveditz]
testcase 9 - handlers[0].doCommand()

This works on fx2.0.0.17-candidate-build2 (2008082909).

This uses bug 451680's XSS trick.
Blocks: 360529
Whiteboard: [sg:critical]
Flags: wanted1.8.1.x+
Status: NEW → ASSIGNED
Priority: -- → P1
QA Contact: rss.preview → mano
Assignee: nobody → mano
Mano, any update here?
QA Contact: mano → rss.preview
Flags: blocking1.8.1.19+
Flags: blocking1.8.1.18-
Flags: blocking1.8.1.18+
Mano, have you had time to work on this? I'd hate to miss this for a third release in a row, especially since it's the last Firefox 2 release...
Whiteboard: [sg:critical] → [sg:critical][needs 1.8 patch]
Mano, please attach a 1.8 patch for this. Code freeze is on Monday.
Created attachment 348427 [details] [diff] [review]
patch

See bug 388207, I didn't remove the element from subscribe.xhtml for the sake of backwards-compatibly.
Attachment #348427 - Flags: review?(mconnor)
Attachment #348427 - Flags: approval1.8.1.19?

Updated

9 years ago
Attachment #348427 - Flags: review?(mconnor) → review+
Comment on attachment 348427 [details] [diff] [review]
patch

Looks good.
Comment on attachment 348427 [details] [diff] [review]
patch

Approved for 1.8.1.19, a=dveditz for release-drivers
Attachment #348427 - Flags: approval1.8.1.19? → approval1.8.1.19+
Whiteboard: [sg:critical][needs 1.8 patch] → [sg:critical]
Can we get this landed asap? Code freeze was technically last night...
Checking in browser/components/feeds/src/FeedWriter.js;
/cvsroot/mozilla/browser/components/feeds/src/FeedWriter.js,v  <--  FeedWriter.js
new revision: 1.2.2.37; previous revision: 1.2.2.36
done
Status: ASSIGNED → RESOLVED
Last Resolved: 9 years ago
Keywords: fixed1.8.1.19
Resolution: --- → FIXED
Verified with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.19pre) Gecko/2008112503 BonEcho/2.0.0.19pre.
Status: RESOLVED → VERIFIED
Keywords: fixed1.8.1.19 → verified1.8.1.19

Comment 12

9 years ago
not an issue on 1.8.0
Flags: wanted1.8.0.x-
Flags: blocking1.8.0.next-
Alias: CVE-2008-5504
Group: core-security
You need to log in before you can comment on or make changes to this bug.