Closed
Bug 529594
(CVE-2009-4129)
Opened 16 years ago
Closed 13 years ago
Mozilla Firefox local file Popup Message Spoofing Vulnerability (TSA-20091117-006)
Categories
(Core :: DOM: Core & HTML, defect)
Core
DOM: Core & HTML
Tracking
()
RESOLVED
WORKSFORME
| Tracking | Status | |
|---|---|---|
| blocking2.0 | --- | - |
People
(Reporter: reed, Unassigned)
References
Details
(Keywords: sec-low, testcase, Whiteboard: [sg:low spoof])
Received the following advisory today at security@. Not really sure what component it would fall under, so filing it under Core :: General for now.
==========================================================================
+------------------------------------------------------------------------+
| TOPSEC SECURITY RESEARCH LAB November 17, 2009 |
| http://www.topsec.com.cn TSA-20091117-006 |
| |
| Product: Firefox |
| Summary: Popup message spoofing. |
+------------------------------------------------------------------------+
BACKGROUND
----------
Firefox is Mozilla Foundation's open source web browser application. More
information is available at the following website:
http://www.mozilla.com/firefox/
OVERVIEW
--------
Firefox v3.5.5 is prone to popup message spoofing contained inside a web
page on another domain.
Popup message spoofing can be done by a mismatch of URL in the browser
address bar and the true origin of popup message . A real exploitation of
this issue is in the following scenario: When a user opens the malicious
web page using Firefox v3.5.5 will see address(example: digg.com) but
when popup message is displayed, the displayed popup message could be
from another domain, not the address shown(digg.com).
An attacker can use this vulnerability in order to hide his address and
perform social engineering attacks to perform a successful Internet user
targeting attack.
WORKAROUND
----------
Although it is not widely viewed as a viable workaround, disabling
scripting can prevent exploitation of this vulnerability. The following
steps explains how to disable this setting on Firefox 3.
1. From the "Tools" menu, select "Options"
2. Navigate to the "Content" settings.
3. Ensure that "Enable JavaScript" is not checked.
|
Reporter | |
Comment 5•16 years ago
|
||
Hmm, I'm not seeing "[JavaScript Application]" as my window title. I see "The page at https://bug529594.bugzilla.mozilla.org says..." Maybe I need to run these locally? I'll test that.
Keywords: testcase
|
|
Reporter | |
Comment 6•16 years ago
|
||
Indeed. If I run the testcase locally (and have it point to a local file), I get "[JavaScript Application]" as the window title.
|
|
Reporter | |
Updated•16 years ago
|
Whiteboard: spoof
|
|
Reporter | |
Comment 8•16 years ago
|
||
No difference between absolute or relative URL. I seem to only be able to get "[JavaScript Application]" when the files are local to my machine. I have one more thing to test just to make sure the attachment redirect isn't causing problems.
|
|
Reporter | |
Comment 9•16 years ago
|
||
Nope, still getting a title that says "The page at <url> says:" even when accessing the files without some type of redirect.
|
||
Comment 10•16 years ago
|
||
This is not exploitable from the web where we clearly show the host name that originated the prompt. We don't for local files -- for prompts from a hostless source we use the old generic script title. At the time we weren't all that worried about downloaded malicious files, but it wouldn't be hard to change the title to say it's a local source. Even then there's spoofing risk because people read the dialogs and not the titles, but you can only do so much.
Leaving this open in case we want to change prompt titles for hostless sources, but it doesn't need to be a hidden security bug.
Group: core-security
Summary: Mozilla Firefox Popup Message Spoofing Vulnerability (TSA-20091117-006) → Mozilla Firefox local file Popup Message Spoofing Vulnerability (TSA-20091117-006)
|
||
Comment 11•16 years ago
|
||
I disagree with comment 10. I think it's a bug that the evil page can make a popup appear directly above a page from another domain, and I don't think the "host X says:" really saves us.
If we want to change prompt titles for hostless sources, that should be a separate bug.
Whiteboard: spoof → [sg:low] spoof
|
|
||
Comment 12•16 years ago
|
||
Where is it coming up from a different domain? In the examples here it's all the same domain and that doesn't seem to be the trick they're trying to pull.
Are you saying that a cross-origin frame/plugin should not be allowed to use alert/prompt/confirm ever? That's maybe worth persuing (though it will have some collateral damage), but I didn't think that's what this bug is about.
|
|
||
Comment 13•16 years ago
|
||
Ah, the joys of a high latency connection. I dismissed the prompt over a blank page (with the URL bar still saying bugzilla) before any digg content came up.
Group: core-security
|
|
||
Comment 14•16 years ago
|
||
So what you really want is that the prompt service should fail if the page is already navigating, or the modal dialog should suspend/cancel the navigation.
|
||
Comment 15•16 years ago
|
||
I'm with Jesse. Window title is a mitigation, but address bar is primary, for determining URL.
|
|
Reporter | |
Updated•15 years ago
|
Alias: CVE-2009-4129
|
|
Reporter | |
Updated•15 years ago
|
Whiteboard: [sg:low] spoof → [sg:low spoof]
|
|
||
Updated•15 years ago
|
blocking2.0: --- → ?
|
||
Updated•15 years ago
|
blocking2.0: ? → -
Component: General → DOM
QA Contact: general → general
|
||
Comment 17•13 years ago
|
||
Given that we have now tab specific prompt/alert/etc, this should be WFM.
Can't reproduce the problem.
Marking WFM, please reopen if you see still some issue.
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → WORKSFORME
|
|
||
Updated•11 years ago
|
Group: core-security
|
Assignee | |
Updated•6 years ago
|
Component: DOM → DOM: Core & HTML
You need to log in
before you can comment on or make changes to this bug.
Description
•