Closed
Bug 552090
(CVE-2010-2764)
Opened 14 years ago
Closed 14 years ago
XHR Cross Site Status leak from xhr.statusText
Categories
(Core :: DOM: Core & HTML, defect)
Core
DOM: Core & HTML
Tracking
()
People
(Reporter: haggardii, Assigned: mrbkap)
Details
(Keywords: verified1.9.1, verified1.9.2, Whiteboard: [sg:low])
Attachments
(1 file)
11.11 KB,
patch
|
sicking
:
review+
jst
:
superreview+
dveditz
:
approval1.9.2.9+
dveditz
:
approval1.9.1.12+
|
Details | Diff | Splinter Review |
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1.8) Gecko/20100202 Firefox/3.5.8 Build Identifier: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1.8) Gecko/20100202 Firefox/3.5.8 content/base/src/nsXMLHttpRequest.cpp GetStatus() checks for a leak of status information from denied cross-site requests but GetStatusText() does not nsXMLHttpRequest::GetStatus(PRUint32 *aStatus) { *aStatus = 0; if (mState & XML_HTTP_REQUEST_USE_XSITE_AC) { // Make sure we don't leak status information from denied cross-site // requests. if (mChannel) { nsresult status; mChannel->GetStatus(&status); if (NS_FAILED(status)) { return NS_OK; } } } nsXMLHttpRequest::GetStatusText(nsACString& aStatusText) { nsCOMPtr<nsIHttpChannel> httpChannel = GetCurrentHttpChannel(); aStatusText.Truncate(); nsresult rv = NS_OK; if (httpChannel) { rv = httpChannel->GetResponseStatusText(aStatusText); } return rv; } Reproducible: Always
Assignee | ||
Updated•14 years ago
|
Status: UNCONFIRMED → NEW
blocking1.9.1: --- → ?
blocking1.9.2: --- → ?
blocking2.0: --- → ?
Component: Security → DOM
Ever confirmed: true
Product: Firefox → Core
QA Contact: firefox → general
Whiteboard: [sg:high]
Assignee | ||
Comment 1•14 years ago
|
||
The fix here is pretty trivial. sicking asked me to not throw if we didn't have an http channel because we currently don't throw at all in that case.
Assignee: nobody → mrbkap
Status: NEW → ASSIGNED
Attachment #432251 -
Flags: superreview?(jst)
Attachment #432251 -
Flags: review?(jonas)
Comment on attachment 432251 [details] [diff] [review] Fix Thanks!
Attachment #432251 -
Flags: review?(jonas) → review+
Updated•14 years ago
|
Attachment #432251 -
Flags: superreview?(jst) → superreview+
Comment 3•14 years ago
|
||
This should block the next branch release - please request patch approval once it's baked.
blocking1.9.2: ? → needed
Assignee | ||
Comment 4•14 years ago
|
||
http://hg.mozilla.org/mozilla-central/rev/637a23219852 I'm also lowering the severity of this. The statusText field only exposes whether or not a server exists, and there exist timing based attacks to expose the same information. dveditz, bsterne, please tell me if I'm off base here.
Status: ASSIGNED → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
Whiteboard: [sg:high] → [sg:low]
Updated•14 years ago
|
Comment 5•14 years ago
|
||
This issue was separately reported to security@ by Nicholas B. <nberthaume@gmail.com>. Nominating for branches.
blocking1.9.1: needed → ?
blocking1.9.2: needed → ?
OS: Mac OS X → All
Hardware: x86 → All
Updated•14 years ago
|
Attachment #432251 -
Flags: approval1.9.2.8?
Attachment #432251 -
Flags: approval1.9.1.12?
Comment 6•14 years ago
|
||
> The statusText field only exposes whether or not a server exists
Not quite; it can expose some details of the server's setup too.
Updated•14 years ago
|
blocking1.9.1: ? → .12+
blocking1.9.2: ? → .8+
Comment 7•14 years ago
|
||
Comment on attachment 432251 [details] [diff] [review] Fix Approved for 1.9.2.8 and 1.9.1.12, a=dveditz for release-drivers
Attachment #432251 -
Flags: approval1.9.2.8?
Attachment #432251 -
Flags: approval1.9.2.8+
Attachment #432251 -
Flags: approval1.9.1.12?
Attachment #432251 -
Flags: approval1.9.1.12+
Assignee | ||
Comment 8•14 years ago
|
||
http://hg.mozilla.org/releases/mozilla-1.9.2/rev/b80930b974b0
Assignee | ||
Comment 9•14 years ago
|
||
http://hg.mozilla.org/releases/mozilla-1.9.1/rev/5e36cfa5f256
Comment 10•14 years ago
|
||
Verified for 1.9.1 and 1.9.2 based on updated checked in tests.
Keywords: verified1.9.1,
verified1.9.2
Updated•14 years ago
|
Alias: CVE-2010-2764
Updated•14 years ago
|
blocking2.0: ? → final+
Updated•14 years ago
|
Group: core-security
Updated•5 years ago
|
Component: DOM → DOM: Core & HTML
You need to log in
before you can comment on or make changes to this bug.
Description
•