Bookmarked URLs can execute JS code with XPConnect calls

VERIFIED INVALID

Status

()

P3
normal
VERIFIED INVALID
18 years ago
18 years ago

People

(Reporter: law, Assigned: security-bugs)

Tracking

Trunk
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(URL)

(Reporter)

Description

18 years ago
It seems as if javascript: bookmark URLs are evaluated in a context that permits
access to XPConnect.

This seems like it might be a security hole, especially since I just fixed bug
17524 which means that we now permit users to bookmark links (without actually
visiting the page).  The exploit I'm envisioning would be something like a web
page that says "Bookmark this link to right now!" and the link contains
malicious javascript/XPConnect code.

I've set the URL in this bug to one that would demonstrate the problem (I
think), if you were to right-click on this link and bookmark it.  Unfortunately,
you can't do that right this minute because I just checked in the fix for bug
17524 so it won't work till Monday's build.

If you refresh navigator.xul and nsContextMenu.js, it should work.

Alternatively, you can test this hole by simply doing "Manage Bookmarks" and
change a bookmark URL to be this, or something similar.
(Assignee)

Comment 1

18 years ago
I can get access to Components from any kind of script, either content Javascript 
or a JS URL. However, I can't access Components.classes. I think access to 
Components might be allowed to all, because it is harmless...but I could be 
wrong. 

Jband, is this an indication of dangerous behavior, or is this expected? 

Bill, can you generate a dangerous exploit?
(Reporter)

Comment 2

18 years ago
No, not without trying harder, I guess.  Sorry for the false alarm.  I figured
that xpconnect would be blocked by blocking access to the Components object in
its entirety.

Resolving as INVALID.
Status: NEW → RESOLVED
Last Resolved: 18 years ago
Resolution: --- → INVALID

Comment 3

18 years ago
Verified per law's comments.
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.