Closed
Bug 48697
Opened 25 years ago
Closed 25 years ago
Bookmarked URLs can execute JS code with XPConnect calls
Categories
(Core :: Security: CAPS, defect, P3)
Core
Security: CAPS
Tracking
()
VERIFIED
INVALID
People
(Reporter: law, Assigned: security-bugs)
References
()
Details
It seems as if javascript: bookmark URLs are evaluated in a context that permits
access to XPConnect.
This seems like it might be a security hole, especially since I just fixed bug
17524 which means that we now permit users to bookmark links (without actually
visiting the page). The exploit I'm envisioning would be something like a web
page that says "Bookmark this link to right now!" and the link contains
malicious javascript/XPConnect code.
I've set the URL in this bug to one that would demonstrate the problem (I
think), if you were to right-click on this link and bookmark it. Unfortunately,
you can't do that right this minute because I just checked in the fix for bug
17524 so it won't work till Monday's build.
If you refresh navigator.xul and nsContextMenu.js, it should work.
Alternatively, you can test this hole by simply doing "Manage Bookmarks" and
change a bookmark URL to be this, or something similar.
Assignee | ||
Comment 1•25 years ago
|
||
I can get access to Components from any kind of script, either content Javascript
or a JS URL. However, I can't access Components.classes. I think access to
Components might be allowed to all, because it is harmless...but I could be
wrong.
Jband, is this an indication of dangerous behavior, or is this expected?
Bill, can you generate a dangerous exploit?
No, not without trying harder, I guess. Sorry for the false alarm. I figured
that xpconnect would be blocked by blocking access to the Components object in
its entirety.
Resolving as INVALID.
Status: NEW → RESOLVED
Closed: 25 years ago
Resolution: --- → INVALID
You need to log in
before you can comment on or make changes to this bug.
Description
•