Last Comment Bug 461735 - (CVE-2008-5507) [FIX]Security: theft of strings cross-domain with redirect, <script src> and window.onerror
(CVE-2008-5507)
: [FIX]Security: theft of strings cross-domain with redirect, <script src> and ...
Status: RESOLVED FIXED
[sg:high]
: fixed1.8.1.21, verified1.8.1.19, verified1.9.0.5
Product: Core
Classification: Components
Component: DOM (show other bugs)
: unspecified
: All All
: -- normal (vote)
: ---
Assigned To: Boris Zbarsky [:bz]
:
Mentors:
http://cevans-app.appspot.com/static/...
Depends on: 363897 CVE-2011-1187
Blocks: 470027
  Show dependency treegraph
 
Reported: 2008-10-26 20:28 PDT by Chris Evans
Modified: 2011-03-01 05:31 PST (History)
17 users (show)
dveditz: blocking1.9.0.5+
dveditz: wanted1.9.0.x+
dveditz: blocking1.8.1.19+
dveditz: wanted1.8.1.x+
asac: blocking1.8.0.next+
bzbarsky: in‑testsuite+
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
Let's use the final channel URI for the script filename (5.72 KB, patch)
2008-10-28 17:22 PDT, Boris Zbarsky [:bz]
jst: review+
jst: superreview+
mbeltzner: approval1.9.1b2+
Details | Diff | Splinter Review
1.9.0 port (5.58 KB, patch)
2008-11-10 13:18 PST, Boris Zbarsky [:bz]
dveditz: approval1.9.0.5+
Details | Diff | Splinter Review
1.8 port (3.77 KB, patch)
2008-11-10 13:28 PST, Boris Zbarsky [:bz]
dveditz: approval1.8.1.19+
Details | Diff | Splinter Review
1.8.0 branch patch (2.93 KB, patch)
2008-12-08 06:44 PST, Martin Stránský
asac: approval1.8.0.next+
Details | Diff | Splinter Review

Description Chris Evans 2008-10-26 20:28:47 PDT
User-Agent:       Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv:1.8.1.16) Gecko/20080716 Firefox/2.0.0.16
Build Identifier: Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv:1.8.1.16) Gecko/20080716 Firefox/2.0.0.16

The URL above demos the problem nicely. Note that this is with FF3.0.3.
This is essentially a new twist to the existing bug:
https://bugzilla.mozilla.org/show_bug.cgi?id=363897
This bug was fixed in FF3, but the fix can be bypassed with the redirector trick.
Also note that the bug referenced above underestimates the severity of leaking JS error messages cross-domain. Hopefully my demo illustrates that.

Reproducible: Always

Steps to Reproduce:
1.
2.
3.
Comment 1 Boris Zbarsky [:bz] 2008-10-28 17:22:34 PDT
Created attachment 345199 [details] [diff] [review]
Let's use the final channel URI for the script filename
Comment 2 Jesse Ruderman 2008-10-28 17:25:19 PDT
bz, is this the same issue you mentioned in 363897 comment 10?
Comment 3 Boris Zbarsky [:bz] 2008-10-28 17:41:16 PDT
Somewhat.  Fixing that issue would certainly fix this bug, but we can fix this bug without going to a principal-based check here.
Comment 4 Chris Evans 2008-11-01 13:42:00 PDT
By the way, theft is not limited to just a single word. If you have a CSV file such as:
a, b, 12345, c
Then is it possible to steal the textual content "a", "b" and "c" by:
- Steal "a" using above trick.
- Define "a" and rerun exploit.
- Steal "b" using above trick.
- etc., repeat

Strongly recommend backport to FF2
Comment 5 Boris Zbarsky [:bz] 2008-11-06 13:12:12 PST
Comment on attachment 345199 [details] [diff] [review]
Let's use the final channel URI for the script filename

Would be good to get trunk/beta baking so that this can land on branches ASAP.
Comment 6 Mike Beltzner [:beltzner, not reading bugmail] 2008-11-10 10:03:37 PST
Comment on attachment 345199 [details] [diff] [review]
Let's use the final channel URI for the script filename

a=beltzner
Comment 7 Boris Zbarsky [:bz] 2008-11-10 13:17:58 PST
Pushed changeset ffeecd437beb.
Comment 8 Boris Zbarsky [:bz] 2008-11-10 13:18:13 PST
Created attachment 347349 [details] [diff] [review]
1.9.0 port
Comment 9 Boris Zbarsky [:bz] 2008-11-10 13:28:20 PST
Created attachment 347353 [details] [diff] [review]
1.8 port
Comment 10 Daniel Veditz [:dveditz] 2008-11-13 10:42:33 PST
Comment on attachment 347353 [details] [diff] [review]
1.8 port

Approved for 1.8.1.19, a=dveditz for release-drivers
Comment 11 Daniel Veditz [:dveditz] 2008-11-13 10:42:44 PST
Comment on attachment 347349 [details] [diff] [review]
1.9.0 port

Approved for 1.9.0.5, a=dveditz for release-drivers
Comment 12 Boris Zbarsky [:bz] 2008-11-17 08:03:09 PST
Fixed on both branches.
Comment 13 Al Billings [:abillings] 2008-11-25 15:21:10 PST
With both 1.8.1.18 and the nightly 1.8.1.19 build, http://cevans-app.appspot.com/static/ff3scriptredirbug.html gives an alert that looks like:

"The page at http://cevans-app.appspot.com says:
dd2afe8343e40cf09400b581912d0e6f is not defined at http://csftpd.beasts.org/steal_me/hex.txt: 1"

1.9.0.4 shows this as well but 1.9.0.5 seems fixed and gives a script error instead. Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.5pre) Gecko/2008112505 GranParadiso/3.0.5pre

So, this does not seem to be fixed on 1.8.1.19.
Comment 14 Al Billings [:abillings] 2008-12-01 12:06:22 PST
I'm still seeing this in the latest 1.8.1.19 build: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.19pre) Gecko/2008120103 BonEcho/2.0.0.19pre.
Comment 15 Daniel Veditz [:dveditz] 2008-12-01 22:26:51 PST
Looks like bug 363897 never got fixed on the 1.8 branch, does this fix rely on that one?
Comment 16 Boris Zbarsky [:bz] 2008-12-02 09:07:41 PST
Yes, this one is just a refinement to that one.
Comment 17 Daniel Veditz [:dveditz] 2008-12-02 19:50:09 PST
Fix for bug 363897 checked into the 1.8 branch, fixing this one. Waiting for tinderbox to clear before checking into the _RELBRANCH
Comment 18 Daniel Veditz [:dveditz] 2008-12-02 20:34:33 PST
On the _RELBRANCH now.
Comment 19 Al Billings [:abillings] 2008-12-04 10:29:28 PST
This doesn't seem fixed (again)!

Using the official 1.8.1.19 release build on OS X, when I go to http://cevans-app.appspot.com/static/ff3scriptredirbug.html, I still get an alert that
looks like:

"The page at http://cevans-app.appspot.com says:
dd2afe8343e40cf09400b581912d0e6f is not defined at
http://csftpd.beasts.org/steal_me/hex.txt: 1"

This is the unfixed behavior.

On 3.0.5 and Trunk, I get an alert stating:

"The page at http://cevans-app.appspot.com says:
Script error.
at http://csftpd.beasts.org/steal_me/hex.txt: 0"
Comment 20 Al Billings [:abillings] 2008-12-04 10:35:49 PST
My bad, I grabbed build 1 accidentally. This is fixed correctly in build 2.

Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.8.1.19) Gecko/2008120316 Firefox/2.0.0.19
Comment 21 Martin Stránský 2008-12-08 06:44:48 PST
Created attachment 351895 [details] [diff] [review]
1.8.0 branch patch

Just for the record, it contains original 1.8 patch + build fixes checked in lately.
Comment 22 Alexander Sack 2008-12-16 01:07:19 PST
Comment on attachment 351895 [details] [diff] [review]
1.8.0 branch patch

a=asac for 1.8.0
Comment 23 Nick Thomas [:nthomas] 2008-12-17 02:20:17 PST
Due to an error, the win32 builds that shipped today for Firefox 2.0.0.19 do not contain the fix from bug 363897, so the fix from this bug doesn't work there. Not sure what to do with the keywords to capture this.
Comment 24 Mike Beltzner [:beltzner, not reading bugmail] 2008-12-17 05:11:46 PST
Removing verified1.8.1.19 as per comment 23
Comment 25 Daniel Veditz [:dveditz] 2008-12-17 10:23:35 PST
But it was verified in the builds we built, and shipped on two out of three platforms. It's better to clone the bug for win32 I think.
Comment 26 Daniel Veditz [:dveditz] 2008-12-17 10:29:21 PST
Filed bug 470027 to cover reshipping win32
Comment 27 Amol 2008-12-23 00:43:12 PST
After installation of 3.0.5, I am facing problem with Greasemonkey scripts. by any chance has this fix resulted into a issue similar to https://bugzilla.mozilla.org/show_bug.cgi?id=405394 ?
Comment 28 Mike Beltzner [:beltzner, not reading bugmail] 2010-05-27 06:33:51 PDT
The issue reported at http://secunia.com/advisories/39925 seems similar; did this, perhaps, regress?
Comment 29 Mike Beltzner [:beltzner, not reading bugmail] 2010-05-27 06:36:55 PDT
This PoC works in Firefox 3.6:

http://0me.me/demo/XSUH/XSUH_demo_firefox_all_in_1.html

Not sure if it's the same bug or not.
Comment 30 Boris Zbarsky [:bz] 2010-05-27 06:59:10 PDT
It's not quite, though it's pretty similar.  Actually, it's even more similar to bug 363897, where we suppressed the line number and error text but not the filename.
Comment 31 Boris Zbarsky [:bz] 2010-05-27 10:56:03 PDT
Filed bug 568564 on that issue.

Note You need to log in before you can comment on or make changes to this bug.