Closed Bug 48697 Opened 25 years ago Closed 25 years ago

Bookmarked URLs can execute JS code with XPConnect calls

Categories

(Core :: Security: CAPS, defect, P3)

defect

Tracking

()

VERIFIED INVALID

People

(Reporter: law, Assigned: security-bugs)

References

()

Details

It seems as if javascript: bookmark URLs are evaluated in a context that permits access to XPConnect. This seems like it might be a security hole, especially since I just fixed bug 17524 which means that we now permit users to bookmark links (without actually visiting the page). The exploit I'm envisioning would be something like a web page that says "Bookmark this link to right now!" and the link contains malicious javascript/XPConnect code. I've set the URL in this bug to one that would demonstrate the problem (I think), if you were to right-click on this link and bookmark it. Unfortunately, you can't do that right this minute because I just checked in the fix for bug 17524 so it won't work till Monday's build. If you refresh navigator.xul and nsContextMenu.js, it should work. Alternatively, you can test this hole by simply doing "Manage Bookmarks" and change a bookmark URL to be this, or something similar.
I can get access to Components from any kind of script, either content Javascript or a JS URL. However, I can't access Components.classes. I think access to Components might be allowed to all, because it is harmless...but I could be wrong. Jband, is this an indication of dangerous behavior, or is this expected? Bill, can you generate a dangerous exploit?
No, not without trying harder, I guess. Sorry for the false alarm. I figured that xpconnect would be blocked by blocking access to the Components object in its entirety. Resolving as INVALID.
Status: NEW → RESOLVED
Closed: 25 years ago
Resolution: --- → INVALID
Verified per law's comments.
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.