Bug 552090 (CVE-2010-2764)

XHR Cross Site Status leak from xhr.statusText

RESOLVED FIXED

Status

()

Core
DOM
RESOLVED FIXED
7 years ago
7 years ago

People

(Reporter: Matt, Assigned: mrbkap)

Tracking

({verified1.9.1, verified1.9.2})

unspecified
verified1.9.1, verified1.9.2
Points:
---

Firefox Tracking Flags

(blocking2.0 final+, blocking1.9.2 .9+, status1.9.2 .9-fixed, blocking1.9.1 .12+, status1.9.1 .12-fixed)

Details

(Whiteboard: [sg:low])

Attachments

(1 attachment)

(Reporter)

Description

7 years ago
User-Agent:       Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1.8) Gecko/20100202 Firefox/3.5.8
Build Identifier: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1.8) Gecko/20100202 Firefox/3.5.8

content/base/src/nsXMLHttpRequest.cpp

GetStatus() checks for a leak of status information from denied cross-site requests but GetStatusText() does not

nsXMLHttpRequest::GetStatus(PRUint32 *aStatus)
{
  *aStatus = 0;

  if (mState & XML_HTTP_REQUEST_USE_XSITE_AC) {
    // Make sure we don't leak status information from denied cross-site
    // requests.
    if (mChannel) {
      nsresult status;
      mChannel->GetStatus(&status);
      if (NS_FAILED(status)) {
        return NS_OK;
      }
    }
  }

nsXMLHttpRequest::GetStatusText(nsACString& aStatusText)
{
  nsCOMPtr<nsIHttpChannel> httpChannel = GetCurrentHttpChannel();

  aStatusText.Truncate();

  nsresult rv = NS_OK;

  if (httpChannel) {
    rv = httpChannel->GetResponseStatusText(aStatusText);
  }

  return rv;
}

Reproducible: Always
(Assignee)

Updated

7 years ago
Status: UNCONFIRMED → NEW
blocking1.9.1: --- → ?
blocking1.9.2: --- → ?
blocking2.0: --- → ?
Component: Security → DOM
Ever confirmed: true
Product: Firefox → Core
QA Contact: firefox → general
Whiteboard: [sg:high]
(Assignee)

Comment 1

7 years ago
Created attachment 432251 [details] [diff] [review]
Fix

The fix here is pretty trivial. sicking asked me to not throw if we didn't have an http channel because we currently don't throw at all in that case.
Assignee: nobody → mrbkap
Status: NEW → ASSIGNED
Attachment #432251 - Flags: superreview?(jst)
Attachment #432251 - Flags: review?(jonas)
Comment on attachment 432251 [details] [diff] [review]
Fix

Thanks!
Attachment #432251 - Flags: review?(jonas) → review+

Updated

7 years ago
Attachment #432251 - Flags: superreview?(jst) → superreview+
This should block the next branch release - please request patch approval once it's baked.
blocking1.9.2: ? → needed
(Assignee)

Comment 4

7 years ago
http://hg.mozilla.org/mozilla-central/rev/637a23219852

I'm also lowering the severity of this. The statusText field only exposes whether or not a server exists, and there exist timing based attacks to expose the same information.

dveditz, bsterne, please tell me if I'm off base here.
Status: ASSIGNED → RESOLVED
Last Resolved: 7 years ago
Resolution: --- → FIXED
Whiteboard: [sg:high] → [sg:low]
blocking1.9.1: ? → needed
status1.9.1: --- → wanted
status1.9.2: --- → wanted
This issue was separately reported to security@ by Nicholas B. <nberthaume@gmail.com>.

Nominating for branches.
blocking1.9.1: needed → ?
blocking1.9.2: needed → ?
OS: Mac OS X → All
Hardware: x86 → All
Attachment #432251 - Flags: approval1.9.2.8?
Attachment #432251 - Flags: approval1.9.1.12?
> The statusText field only exposes whether or not a server exists

Not quite; it can expose some details of the server's setup too.
blocking1.9.1: ? → .12+
blocking1.9.2: ? → .8+
Comment on attachment 432251 [details] [diff] [review]
Fix

Approved for 1.9.2.8 and 1.9.1.12, a=dveditz for release-drivers
Attachment #432251 - Flags: approval1.9.2.8?
Attachment #432251 - Flags: approval1.9.2.8+
Attachment #432251 - Flags: approval1.9.1.12?
Attachment #432251 - Flags: approval1.9.1.12+
(Assignee)

Comment 8

7 years ago
http://hg.mozilla.org/releases/mozilla-1.9.2/rev/b80930b974b0
status1.9.2: wanted → .9-fixed
(Assignee)

Comment 9

7 years ago
http://hg.mozilla.org/releases/mozilla-1.9.1/rev/5e36cfa5f256
status1.9.1: wanted → .12-fixed
Verified for 1.9.1 and 1.9.2 based on updated checked in tests.
Keywords: verified1.9.1, verified1.9.2
Alias: CVE-2010-2764
blocking2.0: ? → final+
Group: core-security
You need to log in before you can comment on or make changes to this bug.