Closed
Bug 458248
(CVE-2008-5506)
Opened 16 years ago
Closed 16 years ago
XMLHttpRequest 302 response disclosure
Categories
(Core :: DOM: Core & HTML, defect, P2)
Core
DOM: Core & HTML
Tracking
()
RESOLVED
FIXED
mozilla1.9.1
People
(Reporter: marius_schilder, Assigned: sicking)
References
Details
(4 keywords, Whiteboard: [sg:moderate])
Attachments
(3 files)
|
8.69 KB,
patch
|
sicking
:
review+
sicking
:
superreview+
dveditz
:
approval1.8.1.19+
dveditz
:
approval1.9.0.5+
|
Details | Diff | Splinter Review |
|
981 bytes,
patch
|
jst
:
review+
jst
:
superreview+
samuel.sidler+old
:
approval1.8.1.19+
|
Details | Diff | Splinter Review |
|
2.86 KB,
patch
|
sicking
:
review+
asac
:
approval1.8.0.next+
|
Details | Diff | Splinter Review |
User-Agent: Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv:1.9) Gecko/2008052912 Firefox/3.0
Build Identifier: Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv:1.9) Gecko/2008052912 Firefox/3.0
A XMLHttpRequest which hits a 302 to another domain returns the 302 headers and body. In single-signon environments these headers might contain sensitive url parameters.
The XMLHttpRequest originates from source domain, but the SSO state could be protected with HttpOnly. Returning the 302 headers allows for using the SSO state as an oracle to mints access tokens for other domains.
All other browsers I tested do not return such 302 responses to the script.
Reproducible: Always
Steps to Reproduce:
1.Setup a server that has a 302 to another domain
2.Issue XHR, in domain, to the url that will 302
3.Observe the 302 headers and body are available to the XHR issuer
Actual Results:
302 headers and body, with location being a different protocol:host:port/path?params
Expected Results:
Security exception or no data. Other browsers return status 0 and no content. Or throw security exceptions.
Since other browsers do not return data, it is unlikely that tightening this up will break existing applications.
As for precedents regarding fixing this type of bug, see https://bugzilla.mozilla.org/show_bug.cgi?id=397427
Component: Security → DOM
Product: Firefox → Core
QA Contact: firefox → general
Version: unspecified → 1.9.0 Branch
|
||
Comment 1•16 years ago
|
||
So we have server at example.org, running XHR to example.org, which redirects to example.com ?
|
Reporter | |
Comment 2•16 years ago
|
||
yes, for instance. And the XHR being XSS injected. The XSS couldn't steal SSO cookie directly (httponly) but can still use it as oracle. A 302 might contain data intended for the other domain only.
|
Assignee | |
Comment 3•16 years ago
|
||
XS-XHR might have "fixed" this.
|
||
Comment 4•16 years ago
|
||
> XS-XHR might have "fixed" this.
That doesn't help FF3. I bet this affects FF2 as well.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Flags: wanted1.9.0.x+
Flags: wanted1.8.1.x?
Flags: blocking1.9.0.4?
Flags: blocking1.8.1.18?
Whiteboard: [sg:moderate]
|
|
||
Updated•16 years ago
|
Assignee: nobody → jonas
Flags: wanted1.8.1.x?
Flags: wanted1.8.1.x+
Flags: blocking1.9.0.4?
Flags: blocking1.9.0.4+
Flags: blocking1.8.1.18?
Flags: blocking1.8.1.18+
Version: 1.9.0 Branch → unspecified
|
|
||
Updated•16 years ago
|
Flags: blocking1.9.0.5+
Flags: blocking1.9.0.4+
Flags: blocking1.8.1.19+
Flags: blocking1.8.1.18+
|
||
Updated•16 years ago
|
Whiteboard: [sg:moderate] → [sg:moderate][needs branch patches]
|
|
Assignee | |
Comment 5•16 years ago
|
||
Got r/sr from mrbkap
Attachment #348717 -
Flags: superreview+
Attachment #348717 -
Flags: review+
|
|
Assignee | |
Updated•16 years ago
|
Attachment #348717 -
Attachment description: Patch to fix → Branch fix
|
|
Assignee | |
Updated•16 years ago
|
Attachment #348717 -
Flags: approval1.9.0.5?
Attachment #348717 -
Flags: approval1.8.1.19?
|
|
||
Comment 6•16 years ago
|
||
Comment on attachment 348717 [details] [diff] [review]
Branch fix
approved for 1.8.1.19 and 1.9.0.5, a=dveditz for release-drivers
Attachment #348717 -
Flags: approval1.9.0.5?
Attachment #348717 -
Flags: approval1.9.0.5+
Attachment #348717 -
Flags: approval1.8.1.19?
Attachment #348717 -
Flags: approval1.8.1.19+
|
|
||
Updated•16 years ago
|
Whiteboard: [sg:moderate][needs branch patches] → [sg:moderate]
|
|
Assignee | |
Comment 7•16 years ago
|
||
Checked in
Status: NEW → RESOLVED
Closed: 16 years ago
Keywords: fixed1.8.1.19,
fixed1.9.0.5
Resolution: --- → FIXED
|
|
Assignee | |
Comment 8•16 years ago
|
||
Actually, I think this might not be fixed on trunk, even with XS-XHR support :(
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
|
|
Assignee | |
Updated•16 years ago
|
Flags: blocking1.9.1+
|
|
||
Comment 9•16 years ago
|
||
I'm a little confused about the 1.8 patch here (haven't looked at the rest). What's the point of setting mDenyResponseDataAccess _after_ the return statement?
Note that that's not what the patch in the bug has, but it's what I see at http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/content/base/src/nsXMLHttpRequest.cpp&rev=1.156.2.20&mark=2054-2057#2030
As in, is this even fixed on 1.8 branch?
|
|
Assignee | |
Comment 11•16 years ago
|
||
Attachment #350230 -
Flags: superreview?
Attachment #350230 -
Flags: review?
Attachment #350230 -
Flags: approval1.8.1.19?
|
||
Comment 12•16 years ago
|
||
Comment on attachment 350230 [details] [diff] [review]
Branch fix fix
Duh :)
Attachment #350230 -
Flags: superreview?
Attachment #350230 -
Flags: superreview+
Attachment #350230 -
Flags: review?
Attachment #350230 -
Flags: review+
|
|
||
Comment 13•16 years ago
|
||
Comment on attachment 350230 [details] [diff] [review]
Branch fix fix
Approved for 1.8.1.19. a=ss
Please land on the 1.8 branch as soon as possible.
Attachment #350230 -
Flags: approval1.8.1.19? → approval1.8.1.19+
|
|
Assignee | |
Comment 14•16 years ago
|
||
Landed on 1.8 branch.
Thanks for noticing bz!
Keywords: fixed1.8.1.19
|
|
||
Comment 15•16 years ago
|
||
No problem. Now if only I could figure out what might have changed on branch to cause the XHR issues this guy in m.d.t.network is seeing.... This certainly wasn't it. ;)
I'm just really glad we have unit tests on 1.9.0 and trunk.
|
||
Comment 16•16 years ago
|
||
Verified for 1.9.0 with the unit tests.
I don't have the infrastructure to do the 302 responses to manually test this for 1.8.1. Can someone offer a way to verify that this is really fixed for 1.8.1?
Keywords: fixed1.9.0.5 → verified1.9.0.5
|
|
||
Updated•16 years ago
|
Priority: -- → P2
Target Milestone: --- → mozilla1.9.1
|
||
Comment 17•16 years ago
|
||
|
|
||
Updated•16 years ago
|
Attachment #351892 -
Flags: review?(jonas)
|
|
||
Comment 18•16 years ago
|
||
Comment on attachment 351892 [details] [diff] [review]
1.8.0 branch patch
Can you please check the backport?
|
|
Assignee | |
Updated•16 years ago
|
Attachment #351892 -
Flags: review?(jonas) → review+
|
||
Comment 19•16 years ago
|
||
Comment on attachment 351892 [details] [diff] [review]
1.8.0 branch patch
a=asac for 1.8.0
Attachment #351892 -
Flags: approval1.8.0.next+
|
|
||
Updated•16 years ago
|
Flags: blocking1.8.0.next+
|
|
||
Updated•16 years ago
|
Alias: CVE-2008-5506
Group: core-security
|
|
Assignee | |
Comment 20•16 years ago
|
||
Marking as regression since this has been fixed on branch, but not yet on trunk
Keywords: regression
|
||
Comment 21•16 years ago
|
||
Jonas, does this need another patch for trunk? Or, do we just need to land?
|
|
||
Updated•16 years ago
|
Whiteboard: [sg:moderate] → [sg:moderate] needs landing
|
|
Assignee | |
Comment 22•16 years ago
|
||
Fixed in bug 479521
Status: REOPENED → RESOLVED
Closed: 16 years ago → 16 years ago
Keywords: fixed1.9.1
Resolution: --- → FIXED
|
|
Assignee | |
Updated•16 years ago
|
Whiteboard: [sg:moderate] needs landing → [sg:moderate]
|
||
Updated•6 years ago
|
Component: DOM → DOM: Core & HTML
You need to log in
before you can comment on or make changes to this bug.
Description
•