Closed Bug 552090 (CVE-2010-2764) Opened 15 years ago Closed 15 years ago

XHR Cross Site Status leak from xhr.statusText

Categories

(Core :: DOM: Core & HTML, defect)

Product:
Core
Component:
DOM: Core & HTML
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
blocking2.0 --- final+
blocking1.9.2 --- .9+
status1.9.2 --- .9-fixed
blocking1.9.1 --- .12+
status1.9.1 --- .12-fixed

People

(Reporter: haggardii, Assigned: mrbkap)

Details

(Keywords: verified1.9.1, verified1.9.2, Whiteboard: [sg:low])

Attachments

(1 file)

Fix
11.11 KB, patch
sicking
: review+
jst
: superreview+
dveditz
: approval1.9.2.9+
dveditz
: approval1.9.1.12+
Details | Diff | Splinter Review
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1.8) Gecko/20100202 Firefox/3.5.8 Build Identifier: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1.8) Gecko/20100202 Firefox/3.5.8 content/base/src/nsXMLHttpRequest.cpp GetStatus() checks for a leak of status information from denied cross-site requests but GetStatusText() does not nsXMLHttpRequest::GetStatus(PRUint32 *aStatus) { *aStatus = 0; if (mState & XML_HTTP_REQUEST_USE_XSITE_AC) { // Make sure we don't leak status information from denied cross-site // requests. if (mChannel) { nsresult status; mChannel->GetStatus(&status); if (NS_FAILED(status)) { return NS_OK; } } } nsXMLHttpRequest::GetStatusText(nsACString& aStatusText) { nsCOMPtr<nsIHttpChannel> httpChannel = GetCurrentHttpChannel(); aStatusText.Truncate(); nsresult rv = NS_OK; if (httpChannel) { rv = httpChannel->GetResponseStatusText(aStatusText); } return rv; } Reproducible: Always
Status: UNCONFIRMED → NEW
blocking1.9.1: --- → ?
blocking1.9.2: --- → ?
blocking2.0: --- → ?
Component: Security → DOM
Ever confirmed: true
Product: Firefox → Core
QA Contact: firefox → general
Whiteboard: [sg:high]
Attached patch FixSplinter Review
The fix here is pretty trivial. sicking asked me to not throw if we didn't have an http channel because we currently don't throw at all in that case.
Assignee: nobody → mrbkap
Status: NEW → ASSIGNED
Attachment #432251 - Flags: superreview?(jst)
Attachment #432251 - Flags: review?(jonas)
Attachment #432251 - Flags: superreview?(jst) → superreview+
This should block the next branch release - please request patch approval once it's baked.
blocking1.9.2: ? → needed
http://hg.mozilla.org/mozilla-central/rev/637a23219852 I'm also lowering the severity of this. The statusText field only exposes whether or not a server exists, and there exist timing based attacks to expose the same information. dveditz, bsterne, please tell me if I'm off base here.
Status: ASSIGNED → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
Whiteboard: [sg:high] → [sg:low]
blocking1.9.1: ? → needed
status1.9.1: --- → wanted
status1.9.2: --- → wanted
This issue was separately reported to security@ by Nicholas B. <nberthaume@gmail.com>. Nominating for branches.
blocking1.9.1: needed → ?
blocking1.9.2: needed → ?
OS: Mac OS X → All
Hardware: x86 → All
Attachment #432251 - Flags: approval1.9.2.8?
Attachment #432251 - Flags: approval1.9.1.12?
> The statusText field only exposes whether or not a server exists Not quite; it can expose some details of the server's setup too.
blocking1.9.1: ? → .12+
blocking1.9.2: ? → .8+
Comment on attachment 432251 [details] [diff] [review] Fix Approved for 1.9.2.8 and 1.9.1.12, a=dveditz for release-drivers
Attachment #432251 - Flags: approval1.9.2.8?
Attachment #432251 - Flags: approval1.9.2.8+
Attachment #432251 - Flags: approval1.9.1.12?
Attachment #432251 - Flags: approval1.9.1.12+
Verified for 1.9.1 and 1.9.2 based on updated checked in tests.
Keywords: verified1.9.1, verified1.9.2
Alias: CVE-2010-2764
blocking2.0: ? → final+
Group: core-security
Component: DOM → DOM: Core & HTML
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: