Bug 503226 (CVE-2009-3375)

document.getSelection() can read cross-origin content selections

RESOLVED FIXED

Status

()

Core
DOM: Core & HTML
P2
normal
RESOLVED FIXED
8 years ago
8 years ago

People

(Reporter: Gregory Fleischer, Assigned: smaug)

Tracking

({verified1.9.0.15, verified1.9.1})

unspecified
x86
All
verified1.9.0.15, verified1.9.1
Points:
---
Bug Flags:
blocking1.9.2 +
blocking1.9.0.15 +
wanted1.9.0.x +
in-testsuite ?

Firefox Tracking Flags

(status1.9.2 beta1-fixed, blocking1.9.1 .4+, status1.9.1 .4-fixed)

Details

(Whiteboard: [sg:moderate])

Attachments

(2 attachments)

(Reporter)

Description

8 years ago
User-Agent:       Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv:1.9.0.11) Gecko/2009060214 Firefox/3.0.11
Build Identifier: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.1pre) Gecko/20090708 Shiretoko/3.5.1pre

The document.getSelection() method can be used to read cross-origin content selections.

By storing a reference to the contentDocument of an iframe, any selections made within that iframe can be read regardless of origin.

This method appears to be deprecated.


Reproducible: Always
(Reporter)

Comment 1

8 years ago
Created attachment 387576 [details]
example of reading cross-origin selections

Select destination for iframe and select 'go'.  Make a text selection and the content should be displayed in an alert box.
The test shows the reported behaviour.  I suspect this should live in Content-land, particularly since jst wrote the deprecation message.  :)
Status: UNCONFIRMED → NEW
Component: General → DOM: Core & HTML
Ever confirmed: true
Product: Firefox → Core
QA Contact: general → general
Whiteboard: [sg:investigate]
(Assignee)

Updated

8 years ago
Assignee: nobody → Olli.Pettay
Flags: blocking1.9.2?
(Assignee)

Updated

8 years ago
Status: NEW → ASSIGNED
Marking this a blocker since this allows cross site data leakage.
Flags: blocking1.9.2? → blocking1.9.2+
Priority: -- → P2
(Assignee)

Comment 6

8 years ago
Created attachment 394093 [details] [diff] [review]
simple patch
Attachment #394093 - Flags: review?(jst)

Updated

8 years ago
Attachment #394093 - Flags: superreview+
Attachment #394093 - Flags: review?(jst)
Attachment #394093 - Flags: review+
(Assignee)

Updated

8 years ago
Attachment #394093 - Flags: review?(jonas)
(Assignee)

Comment 7

8 years ago
Comment on attachment 394093 [details] [diff] [review]
simple patch

AFAIK, security bugs need separate r and sr nowadays.
Attachment #394093 - Flags: review?(jonas) → review+
Comment on attachment 394093 [details] [diff] [review]
simple patch

mochitest?
(Assignee)

Comment 9

8 years ago
Don't want to add such before this is fixed everywhere.
(Assignee)

Comment 10

8 years ago
http://hg.mozilla.org/mozilla-central/rev/0aa2596a20cc
Status: ASSIGNED → RESOLVED
blocking1.9.1: --- → ?
Last Resolved: 8 years ago
Flags: blocking1.9.0.15?
Resolution: --- → FIXED
(Assignee)

Comment 11

8 years ago
http://hg.mozilla.org/releases/mozilla-1.9.2/rev/015c3c8cf077
Keywords: fixed1.9.2
blocking1.9.1: ? → .4+
Flags: blocking1.9.0.15? → blocking1.9.0.15+
(Assignee)

Updated

8 years ago
Attachment #394093 - Flags: approval1.9.1.4?
(Assignee)

Updated

8 years ago
Attachment #394093 - Flags: approval1.9.0.15?
status1.9.1: --- → wanted
Flags: wanted1.9.0.x+
Comment on attachment 394093 [details] [diff] [review]
simple patch

Approved for 1.9.1.4 and 1.9.0.15, a=dveditz for release-drivers
Attachment #394093 - Flags: approval1.9.1.4?
Attachment #394093 - Flags: approval1.9.1.4+
Attachment #394093 - Flags: approval1.9.0.15?
Attachment #394093 - Flags: approval1.9.0.15+
(Assignee)

Comment 13

8 years ago
Checking in content/html/document/src/nsHTMLDocument.cpp;
/cvsroot/mozilla/content/html/document/src/nsHTMLDocument.cpp,v  <--  nsHTMLDocument.cpp
new revision: 3.792; previous revision: 3.791

http://hg.mozilla.org/releases/mozilla-1.9.1/rev/bffd0a33d902
status1.9.1: wanted → .4-fixed
Keywords: fixed1.9.0.15
status1.9.2: --- → beta1-fixed
Keywords: fixed1.9.2
Verified attached testcase reproduces bug in 1.9.1.3 and is fixed in the 1.9.1.4pre build (Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.1.4pre) Gecko/20090914 Shiretoko/3.5.4pre).
Keywords: verified1.9.1
Verified for 1.9.0.15 as well with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.15pre) Gecko/2009091606 GranParadiso/3.0.15pre (.NET CLR 3.5.30729).
Keywords: fixed1.9.0.15 → verified1.9.0.15
Whiteboard: [sg:investigate] → [sg:moderate]
Alias: CVE-2009-3375
(In reply to comment #9)
> Don't want to add such before this is fixed everywhere.

I can has test plz?
Flags: in-testsuite?
Group: core-security
You need to log in before you can comment on or make changes to this bug.