Closed
Bug 568148
(CVE-2010-1213)
Opened 15 years ago
Closed 14 years ago
Combining "importScripts" of WebWorker with E4X causes information disclosure
Categories
(Core :: JavaScript Engine, defect, P1)
Core
JavaScript Engine
Tracking
()
RESOLVED
FIXED
mozilla1.9.3a5
People
(Reporter: yosuke.hasegawa, Assigned: brendan)
References
()
Details
(Keywords: verified1.9.1, verified1.9.2, Whiteboard: [sg:high] fixed-in-tracemonkey [critsmash-high:patch])
Attachments
(2 files)
|
755 bytes,
patch
|
gal
:
review+
|
Details | Diff | Splinter Review |
|
737 bytes,
patch
|
brendan
:
review+
|
Details | Diff | Splinter Review |
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; ja; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3 (.NET CLR 3.5.30729)
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 6.0; ja; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3 (.NET CLR 3.5.30729)
"importScripts" method reads remote resources as a javascript even if that is not a JavaScript file.
And "importScripts" method sent cookies to remote server at requesting their resources.
Additionally, "importScripts" method can read HTML file as JavaScript source using E4X feature.
Thus attacker can read the victim's protected HTML file using "importScripts" and E4X across the domain.
Reproducible: Always
Steps to Reproduce:
see demo page for details.
http://openmya.hacker.jp/hasegawa/PoC/webworker.html
Actual Results:
attacker can read remote contents.
Expected Results:
"importScripts" should fail to read HTML as a javascript source, like as <script src="html">
|
Assignee | |
Comment 1•15 years ago
|
||
Assignee: general → brendan
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Attachment #447465 -
Flags: review?(gal)
|
|
Assignee | |
Comment 2•15 years ago
|
||
Reporter, thanks for finding this!
/be
Priority: -- → P1
Target Milestone: --- → mozilla1.9.3a5
|
||
Comment 3•15 years ago
|
||
Comment on attachment 447465 [details] [diff] [review]
fix, always reject only-XML JS source whether script result wanted or not
Brendan explained the historic reason for bypassing the check in case of TCF_NO_SCRIPT_EVAL (if you wanted the value we were hoping you know what you are doing), but it seems best to always apply it.
Attachment #447465 -
Flags: review?(gal) → review+
|
|
Assignee | |
Comment 4•15 years ago
|
||
http://hg.mozilla.org/tracemonkey/rev/d5c0c147d6f0
JS folks offer to review any JS API based new code, including workers. Seems like a good idea, may not catch everything -- could help improve docs and API at least though (at best it might catch bugs like this).
/be
Whiteboard: fixed-in-tracemonkey
|
||
Comment 5•15 years ago
|
||
Interesting that even though this patch builds on the fix for bug 375250, it is more severe, because bug 375250 was not exploitable as reported.
blocking1.9.1: --- → ?
blocking1.9.2: --- → ?
Whiteboard: fixed-in-tracemonkey → [sg:high] fixed-in-tracemonkey
|
|
Assignee | |
Comment 6•15 years ago
|
||
(In reply to comment #5)
> Interesting that even though this patch builds on the fix for bug 375250, it is
> more severe, because bug 375250 was not exploitable as reported.
This bug is about a new API, not around when that bug was fixed.
/be
|
|
Assignee | |
Comment 7•15 years ago
|
||
Sorry I missed the orange -- thanks to Waldo for pointing it out today.
/be
Attachment #447835 -
Flags: review?(gal)
|
|
Assignee | |
Comment 8•15 years ago
|
||
Followup fix:
http://hg.mozilla.org/tracemonkey/rev/4e04e69a5d41
/be
|
||
Updated•15 years ago
|
Whiteboard: [sg:high] fixed-in-tracemonkey → [sg:high] fixed-in-tracemonkey [critsmash-high:patch]
|
||
Updated•15 years ago
|
status1.9.1:
--- → wanted
status1.9.2:
--- → wanted
|
|
||
Comment 9•15 years ago
|
||
qawanted: please turn the test link into an attachment to this bug so we know we'll have it for regression testing.
brendan: could we turn the testcase into something we could check-in once the fix is public?
|
|
Assignee | |
Comment 10•15 years ago
|
||
Cc'ing jorendorff re: comment 9 question -- we have workers in the js shell, IIRC.
/be
|
||
Comment 11•14 years ago
|
||
Status: ASSIGNED → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
|
|
||
Updated•14 years ago
|
blocking1.9.2: .5+ → .6+
|
|
Assignee | |
Comment 12•14 years ago
|
||
Comment on attachment 447835 [details] [diff] [review]
followup fix
This went in.
/be
Attachment #447835 -
Flags: review?(gal) → review+
|
|
Assignee | |
Comment 13•14 years ago
|
||
|
||
Comment 14•14 years ago
|
||
Verified for 1.9.1 with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.11pre) Gecko/20100622 Shiretoko/3.5.11pre ( .NET CLR 3.5.30729) using testcase. Checked in build before checkin and testcase reproduced bug there.
Verified for 1.9.2 the same way in Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.6pre) Gecko/20100622 Namoroka/3.6.6pre ( .NET CLR 3.5.30729) and the build from the day before the fix.
Keywords: verified1.9.1,
verified1.9.2
|
|
Assignee | |
Comment 15•14 years ago
|
||
I didn't attach a patch here, but it was a one-liner. See comment 13. Can I get off the list of bugs without approved patches without actually attaching a patch and getting (retroactive) approval?
/be
|
||
Comment 16•14 years ago
|
||
Yep, off lists.
|
|
||
Updated•14 years ago
|
Alias: CVE-2010-1213
|
|
||
Updated•14 years ago
|
Group: core-security
|
||
Comment 17•10 years ago
|
||
Issue is resolved - clearing old keywords - qa-wanted clean-up
Keywords: qawanted
You need to log in
before you can comment on or make changes to this bug.
Description
•