Bug 460002 (CVE-2008-5022)

It's possible to circumvent the inner window check in nsXMLHttpRequest::NotifyEventListeners()

VERIFIED FIXED

Status

()

Core
Security
VERIFIED FIXED
9 years ago
8 years ago

People

(Reporter: moz_bug_r_a4, Assigned: smaug)

Tracking

({verified1.8.1.18, verified1.9.0.4})

unspecified
x86
Windows XP
verified1.8.1.18, verified1.9.0.4
Points:
---
Bug Flags:
blocking1.9.0.4 +
wanted1.9.0.x +
blocking1.8.1.18 +
wanted1.8.1.x +
blocking1.8.0.next +

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [sg:high])

Attachments

(6 attachments)

(Reporter)

Description

9 years ago
This bug is for fx3.0.x and fx2.0.0.x.

In nsXMLHttpRequest::NotifyEventListeners(), CheckInnerWindowCorrectness() is
called only once, and then multiple listeners are called.  Thus, it's possible
to circumvent the inner window check by using two listeners.

(Trunk is also exploitable in the same way, but depends on bug 460001.)
(Reporter)

Comment 1

9 years ago
Created attachment 343192 [details]
testcase 1

This tries to get cookies for www.mozilla.com.
This works on fx3.0.x.
(Reporter)

Comment 2

9 years ago
Created attachment 343193 [details]
testcase 2

This tries to get cookies for www.mozilla.com.
This works on fx2.0.0.x.
(Assignee)

Updated

9 years ago
Assignee: nobody → Olli.Pettay
(Assignee)

Updated

9 years ago
Flags: blocking1.9.0.4?
Flags: blocking1.8.1.18?
(Assignee)

Comment 3

9 years ago
For some reason I can't reproduce on ff2.0.0.x, using either of testcase.
Testcase 1 shows the bug on FF3
(Assignee)

Comment 4

9 years ago
Created attachment 343213 [details] [diff] [review]
for 1.9.0

Fixes FF3
Attachment #343213 - Flags: superreview?(jonas)
Attachment #343213 - Flags: review?(jonas)
(Assignee)

Comment 5

9 years ago
Created attachment 343214 [details] [diff] [review]
for 1.8

Should fix 1.8. Note, the first check can't be removed in 1.8, because there is one HandleEvent call before the loop.
Anyone who can reproduce on FF2, please verify that this fixes the problem.
Attachment #343214 - Flags: superreview?(jonas)
Attachment #343214 - Flags: review?(jonas)
Flags: wanted1.9.0.x+
Flags: wanted1.8.1.x+
Whiteboard: [sg:high]
Flags: blocking1.9.0.4?
Flags: blocking1.9.0.4+
Flags: blocking1.8.1.18?
Flags: blocking1.8.1.18+
(Reporter)

Comment 6

9 years ago
I can reproduce "testcase 2" on Windows, but cannot on Linux.  I'll attach a
new testcase that is reproducible on fx2 on both Windows and Linux.

And, using the new testcase on Linux, I verified that the patch fixes the
problem.
(Reporter)

Comment 7

9 years ago
Created attachment 343366 [details]
testcase 3

This tries to get cookies for www.mozilla.com.
This works on fx2.0.0.x on Windows and Linux.
Attachment #343213 - Flags: superreview?(jonas)
Attachment #343213 - Flags: superreview+
Attachment #343213 - Flags: review?(jonas)
Attachment #343213 - Flags: review+
Attachment #343214 - Flags: superreview?(jonas)
Attachment #343214 - Flags: superreview+
Attachment #343214 - Flags: review?(jonas)
Attachment #343214 - Flags: review+
(Assignee)

Updated

9 years ago
Keywords: checkin-needed
(Assignee)

Updated

9 years ago
Attachment #343213 - Flags: approval1.9.0.4?
(Assignee)

Updated

9 years ago
Attachment #343214 - Flags: approval1.8.1.18?
Comment on attachment 343214 [details] [diff] [review]
for 1.8

Approved for 1.8.1.18, a=dveditz for release-drivers
Attachment #343214 - Flags: approval1.8.1.18? → approval1.8.1.18+
Comment on attachment 343213 [details] [diff] [review]
for 1.9.0

Approved for 1.9.0.4, a=dveditz for release-drivers
Attachment #343213 - Flags: approval1.9.0.4? → approval1.9.0.4+
(Assignee)

Updated

9 years ago
Keywords: checkin-needed → fixed1.8.1.18, fixed1.9.0.4
(Assignee)

Updated

9 years ago
Status: NEW → RESOLVED
Last Resolved: 9 years ago
Resolution: --- → FIXED
Verified for 1.8.1.18 with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.18pre) Gecko/2008102103 BonEcho/2.0.0.18pre.
Keywords: fixed1.8.1.18 → verified1.8.1.18
Verified for 1.9.0.4 with Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.0.4pre) Gecko/2008102104 GranParadiso/3.0.4pre using both testcases.
Keywords: fixed1.9.0.4 → verified1.9.0.4
Verified that this is not an issue in 3.1 with Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1b2pre) Gecko/20081020 Minefield/3.1b2pre.
Status: RESOLVED → VERIFIED

Comment 13

9 years ago
Comment on attachment 343214 [details] [diff] [review]
for 1.8

a=asac for 1.8.0 branch (needs some context adjustments)
Attachment #343214 - Flags: approval1.8.0.15+

Comment 14

9 years ago
Created attachment 347315 [details] [diff] [review]
1.8.0 (clean context)
Alias: CVE-2008-5022
Group: core-security

Updated

8 years ago
Flags: blocking1.8.0.next+
You need to log in before you can comment on or make changes to this bug.