Last Comment Bug 460002 - (CVE-2008-5022) It's possible to circumvent the inner window check in nsXMLHttpRequest::NotifyEventListeners()
(CVE-2008-5022)
: It's possible to circumvent the inner window check in nsXMLHttpRequest::Notif...
Status: VERIFIED FIXED
[sg:high]
: verified1.8.1.18, verified1.9.0.4
Product: Core
Classification: Components
Component: Security (show other bugs)
: unspecified
: x86 Windows XP
: -- normal (vote)
: ---
Assigned To: Olli Pettay [:smaug]
:
Mentors:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2008-10-15 02:18 PDT by moz_bug_r_a4
Modified: 2009-01-05 13:08 PST (History)
6 users (show)
dveditz: blocking1.9.0.4+
samuel.sidler+old: wanted1.9.0.x+
dveditz: blocking1.8.1.18+
samuel.sidler+old: wanted1.8.1.x+
asac: blocking1.8.0.next+
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
testcase 1 (1.00 KB, text/html)
2008-10-15 02:19 PDT, moz_bug_r_a4
no flags Details
testcase 2 (1.01 KB, text/html)
2008-10-15 02:21 PDT, moz_bug_r_a4
no flags Details
for 1.9.0 (1.43 KB, patch)
2008-10-15 05:07 PDT, Olli Pettay [:smaug]
jonas: review+
jonas: superreview+
dveditz: approval1.9.0.4+
Details | Diff | Splinter Review
for 1.8 (901 bytes, patch)
2008-10-15 05:09 PDT, Olli Pettay [:smaug]
jonas: review+
jonas: superreview+
dveditz: approval1.8.1.18+
asac: approval1.8.0.next+
Details | Diff | Splinter Review
testcase 3 (1.68 KB, text/html)
2008-10-16 00:29 PDT, moz_bug_r_a4
no flags Details
1.8.0 (clean context) (818 bytes, patch)
2008-11-10 09:43 PST, Alexander Sack
no flags Details | Diff | Splinter Review

Description moz_bug_r_a4 2008-10-15 02:18:18 PDT
This bug is for fx3.0.x and fx2.0.0.x.

In nsXMLHttpRequest::NotifyEventListeners(), CheckInnerWindowCorrectness() is
called only once, and then multiple listeners are called.  Thus, it's possible
to circumvent the inner window check by using two listeners.

(Trunk is also exploitable in the same way, but depends on bug 460001.)
Comment 1 moz_bug_r_a4 2008-10-15 02:19:51 PDT
Created attachment 343192 [details]
testcase 1

This tries to get cookies for www.mozilla.com.
This works on fx3.0.x.
Comment 2 moz_bug_r_a4 2008-10-15 02:21:21 PDT
Created attachment 343193 [details]
testcase 2

This tries to get cookies for www.mozilla.com.
This works on fx2.0.0.x.
Comment 3 Olli Pettay [:smaug] 2008-10-15 04:41:56 PDT
For some reason I can't reproduce on ff2.0.0.x, using either of testcase.
Testcase 1 shows the bug on FF3
Comment 4 Olli Pettay [:smaug] 2008-10-15 05:07:20 PDT
Created attachment 343213 [details] [diff] [review]
for 1.9.0

Fixes FF3
Comment 5 Olli Pettay [:smaug] 2008-10-15 05:09:06 PDT
Created attachment 343214 [details] [diff] [review]
for 1.8

Should fix 1.8. Note, the first check can't be removed in 1.8, because there is one HandleEvent call before the loop.
Anyone who can reproduce on FF2, please verify that this fixes the problem.
Comment 6 moz_bug_r_a4 2008-10-16 00:28:08 PDT
I can reproduce "testcase 2" on Windows, but cannot on Linux.  I'll attach a
new testcase that is reproducible on fx2 on both Windows and Linux.

And, using the new testcase on Linux, I verified that the patch fixes the
problem.
Comment 7 moz_bug_r_a4 2008-10-16 00:29:52 PDT
Created attachment 343366 [details]
testcase 3

This tries to get cookies for www.mozilla.com.
This works on fx2.0.0.x on Windows and Linux.
Comment 8 Daniel Veditz [:dveditz] 2008-10-20 11:29:15 PDT
Comment on attachment 343214 [details] [diff] [review]
for 1.8

Approved for 1.8.1.18, a=dveditz for release-drivers
Comment 9 Daniel Veditz [:dveditz] 2008-10-20 11:29:25 PDT
Comment on attachment 343213 [details] [diff] [review]
for 1.9.0

Approved for 1.9.0.4, a=dveditz for release-drivers
Comment 10 Al Billings [:abillings] 2008-10-21 14:40:11 PDT
Verified for 1.8.1.18 with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.18pre) Gecko/2008102103 BonEcho/2.0.0.18pre.
Comment 11 Al Billings [:abillings] 2008-10-21 15:45:01 PDT
Verified for 1.9.0.4 with Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.0.4pre) Gecko/2008102104 GranParadiso/3.0.4pre using both testcases.
Comment 12 Al Billings [:abillings] 2008-10-21 15:45:51 PDT
Verified that this is not an issue in 3.1 with Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1b2pre) Gecko/20081020 Minefield/3.1b2pre.
Comment 13 Alexander Sack 2008-11-10 09:42:39 PST
Comment on attachment 343214 [details] [diff] [review]
for 1.8

a=asac for 1.8.0 branch (needs some context adjustments)
Comment 14 Alexander Sack 2008-11-10 09:43:33 PST
Created attachment 347315 [details] [diff] [review]
1.8.0 (clean context)

Note You need to log in before you can comment on or make changes to this bug.