Closed
Bug 461735
(CVE-2008-5507)
Opened 16 years ago
Closed 16 years ago
[FIX]Security: theft of strings cross-domain with redirect, <script src> and window.onerror
Categories
(Core :: DOM: Core & HTML, defect)
Core
DOM: Core & HTML
Tracking
()
RESOLVED
FIXED
People
(Reporter: scarybeasts, Assigned: bzbarsky)
References
()
Details
(Keywords: fixed1.8.1.21, verified1.8.1.19, verified1.9.0.5, Whiteboard: [sg:high])
Attachments
(4 files)
5.72 KB,
patch
|
jst
:
review+
jst
:
superreview+
beltzner
:
approval1.9.1b2+
|
Details | Diff | Splinter Review |
5.58 KB,
patch
|
dveditz
:
approval1.9.0.5+
|
Details | Diff | Splinter Review |
3.77 KB,
patch
|
dveditz
:
approval1.8.1.19+
|
Details | Diff | Splinter Review |
2.93 KB,
patch
|
asac
:
approval1.8.0.next+
|
Details | Diff | Splinter Review |
User-Agent: Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv:1.8.1.16) Gecko/20080716 Firefox/2.0.0.16
Build Identifier: Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv:1.8.1.16) Gecko/20080716 Firefox/2.0.0.16
The URL above demos the problem nicely. Note that this is with FF3.0.3.
This is essentially a new twist to the existing bug:
https://bugzilla.mozilla.org/show_bug.cgi?id=363897
This bug was fixed in FF3, but the fix can be bypassed with the redirector trick.
Also note that the bug referenced above underestimates the severity of leaking JS error messages cross-domain. Hopefully my demo illustrates that.
Reproducible: Always
Steps to Reproduce:
1.
2.
3.
Updated•16 years ago
|
Component: Security → DOM
Flags: wanted1.9.0.x?
OS: Linux → All
Product: Firefox → Core
QA Contact: firefox → general
Hardware: PC → All
Whiteboard: [sg:high]
Assignee | ||
Comment 1•16 years ago
|
||
Assignee: nobody → bzbarsky
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Attachment #345199 -
Flags: superreview?
Attachment #345199 -
Flags: review?
Assignee | ||
Updated•16 years ago
|
Summary: Security: theft of strings cross-domain with redirect, <script src> and window.onerror → [FIX]Security: theft of strings cross-domain with redirect, <script src> and window.onerror
Assignee | ||
Updated•16 years ago
|
Attachment #345199 -
Flags: superreview?(jst)
Attachment #345199 -
Flags: superreview?
Attachment #345199 -
Flags: review?(jst)
Attachment #345199 -
Flags: review?
Comment 2•16 years ago
|
||
bz, is this the same issue you mentioned in 363897 comment 10?
Assignee | ||
Comment 3•16 years ago
|
||
Somewhat. Fixing that issue would certainly fix this bug, but we can fix this bug without going to a principal-based check here.
Reporter | ||
Comment 4•16 years ago
|
||
By the way, theft is not limited to just a single word. If you have a CSV file such as:
a, b, 12345, c
Then is it possible to steal the textual content "a", "b" and "c" by:
- Steal "a" using above trick.
- Define "a" and rerun exploit.
- Steal "b" using above trick.
- etc., repeat
Strongly recommend backport to FF2
Updated•16 years ago
|
Flags: blocking1.8.1.19?
Updated•16 years ago
|
Flags: wanted1.9.0.x?
Flags: wanted1.9.0.x+
Flags: wanted1.8.1.x+
Flags: blocking1.9.0.5+
Flags: blocking1.8.1.19?
Flags: blocking1.8.1.19+
Updated•16 years ago
|
Attachment #345199 -
Flags: superreview?(jst)
Attachment #345199 -
Flags: superreview+
Attachment #345199 -
Flags: review?(jst)
Attachment #345199 -
Flags: review+
Assignee | ||
Updated•16 years ago
|
Attachment #345199 -
Flags: approval1.9.1b2?
Assignee | ||
Comment 5•16 years ago
|
||
Comment on attachment 345199 [details] [diff] [review]
Let's use the final channel URI for the script filename
Would be good to get trunk/beta baking so that this can land on branches ASAP.
Updated•16 years ago
|
Whiteboard: [sg:high] → [sg:high][needs 1.9.1 approval/landing]
Comment 6•16 years ago
|
||
Comment on attachment 345199 [details] [diff] [review]
Let's use the final channel URI for the script filename
a=beltzner
Attachment #345199 -
Flags: approval1.9.1b2? → approval1.9.1b2+
Updated•16 years ago
|
Whiteboard: [sg:high][needs 1.9.1 approval/landing] → [sg:high][needs 1.9.1 landing]
Assignee | ||
Comment 7•16 years ago
|
||
Pushed changeset ffeecd437beb.
Status: ASSIGNED → RESOLVED
Closed: 16 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
Whiteboard: [sg:high][needs 1.9.1 landing] → [sg:high]
Assignee | ||
Comment 8•16 years ago
|
||
Attachment #347349 -
Flags: approval1.9.0.5?
Assignee | ||
Comment 9•16 years ago
|
||
Attachment #347353 -
Flags: approval1.8.1.18?
Comment 10•16 years ago
|
||
Comment on attachment 347353 [details] [diff] [review]
1.8 port
Approved for 1.8.1.19, a=dveditz for release-drivers
Attachment #347353 -
Flags: approval1.8.1.18? → approval1.8.1.19+
Updated•16 years ago
|
Attachment #347349 -
Flags: approval1.9.0.5? → approval1.9.0.5+
Comment 11•16 years ago
|
||
Comment on attachment 347349 [details] [diff] [review]
1.9.0 port
Approved for 1.9.0.5, a=dveditz for release-drivers
Comment 13•16 years ago
|
||
With both 1.8.1.18 and the nightly 1.8.1.19 build, http://cevans-app.appspot.com/static/ff3scriptredirbug.html gives an alert that looks like:
"The page at http://cevans-app.appspot.com says:
dd2afe8343e40cf09400b581912d0e6f is not defined at http://csftpd.beasts.org/steal_me/hex.txt: 1"
1.9.0.4 shows this as well but 1.9.0.5 seems fixed and gives a script error instead. Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.5pre) Gecko/2008112505 GranParadiso/3.0.5pre
So, this does not seem to be fixed on 1.8.1.19.
Keywords: fixed1.9.0.5 → verified1.9.0.5
Comment 14•16 years ago
|
||
I'm still seeing this in the latest 1.8.1.19 build: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.19pre) Gecko/2008120103 BonEcho/2.0.0.19pre.
Updated•16 years ago
|
Keywords: fixed1.8.1.19
Comment 15•16 years ago
|
||
Looks like bug 363897 never got fixed on the 1.8 branch, does this fix rely on that one?
Assignee | ||
Comment 16•16 years ago
|
||
Yes, this one is just a refinement to that one.
Depends on: 363897
Comment 17•16 years ago
|
||
Fix for bug 363897 checked into the 1.8 branch, fixing this one. Waiting for tinderbox to clear before checking into the _RELBRANCH
Keywords: fixed1.8.1.20
Comment 19•16 years ago
|
||
This doesn't seem fixed (again)!
Using the official 1.8.1.19 release build on OS X, when I go to http://cevans-app.appspot.com/static/ff3scriptredirbug.html, I still get an alert that
looks like:
"The page at http://cevans-app.appspot.com says:
dd2afe8343e40cf09400b581912d0e6f is not defined at
http://csftpd.beasts.org/steal_me/hex.txt: 1"
This is the unfixed behavior.
On 3.0.5 and Trunk, I get an alert stating:
"The page at http://cevans-app.appspot.com says:
Script error.
at http://csftpd.beasts.org/steal_me/hex.txt: 0"
Comment 20•16 years ago
|
||
My bad, I grabbed build 1 accidentally. This is fixed correctly in build 2.
Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.8.1.19) Gecko/2008120316 Firefox/2.0.0.19
Keywords: fixed1.8.1.19 → verified1.8.1.19
Comment 21•16 years ago
|
||
Just for the record, it contains original 1.8 patch + build fixes checked in lately.
Comment 22•16 years ago
|
||
Comment on attachment 351895 [details] [diff] [review]
1.8.0 branch patch
a=asac for 1.8.0
Attachment #351895 -
Flags: approval1.8.0.next+
Updated•16 years ago
|
Flags: blocking1.8.0.next+
Updated•16 years ago
|
Alias: CVE-2008-5507
Group: core-security
Comment 23•16 years ago
|
||
Due to an error, the win32 builds that shipped today for Firefox 2.0.0.19 do not contain the fix from bug 363897, so the fix from this bug doesn't work there. Not sure what to do with the keywords to capture this.
Comment 25•16 years ago
|
||
But it was verified in the builds we built, and shipped on two out of three platforms. It's better to clone the bug for win32 I think.
Keywords: verified1.8.1.19
Comment 26•16 years ago
|
||
Filed bug 470027 to cover reshipping win32
Comment 27•16 years ago
|
||
After installation of 3.0.5, I am facing problem with Greasemonkey scripts. by any chance has this fix resulted into a issue similar to https://bugzilla.mozilla.org/show_bug.cgi?id=405394 ?
Comment 28•15 years ago
|
||
The issue reported at http://secunia.com/advisories/39925 seems similar; did this, perhaps, regress?
Comment 29•15 years ago
|
||
This PoC works in Firefox 3.6:
http://0me.me/demo/XSUH/XSUH_demo_firefox_all_in_1.html
Not sure if it's the same bug or not.
Assignee | ||
Comment 30•15 years ago
|
||
It's not quite, though it's pretty similar. Actually, it's even more similar to bug 363897, where we suppressed the line number and error text but not the filename.
Assignee | ||
Comment 31•15 years ago
|
||
Filed bug 568564 on that issue.
Assignee | ||
Updated•14 years ago
|
Depends on: CVE-2011-1187
Updated•6 years ago
|
Component: DOM → DOM: Core & HTML
You need to log in
before you can comment on or make changes to this bug.
Description
•