Privileged code insertion with addPanel

VERIFIED FIXED

Status

()

Core
Security
P3
critical
VERIFIED FIXED
18 years ago
17 years ago

People

(Reporter: Mitchell Stoltz (not reading bugmail), Assigned: Mitchell Stoltz (not reading bugmail))

Tracking

Trunk
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [rtm++][InLimbo-OOH], URL)

Attachments

(1 attachment)

It is possible for a web script to run privileged code using
sidebar.addPanel("javascript: ... "), or potentially with a chrome: URL instead
of a javascript: URL. We should probably not allow sidebar panels to be
javascript: URLs, or else we should not give those urls the system principal.

The example above works on unix systems. It will execute /usr/bin/control-panel,
as an example. Change the 'executable' string in the script to C:\something.exe
to see this work on Windows.

The other possible scenario is asking the user do install an otherwise benign
skin, using the skin installer, which places some malicious .xul file somewhere
in the chrome directory. Then, the attacker convinces the user to click a link
which does an addPanel("chrome://navigator/skins/malicious.xul"), causing the
code in that malicious file to be run.
(Assignee)

Comment 1

18 years ago
This is critical for RTM, I think.
Status: NEW → ASSIGNED
Keywords: rtm
(Assignee)

Comment 2

18 years ago
Created attachment 18096 [details] [diff] [review]
First approximation fix, needs work. Please comment.

Comment 3

18 years ago
Looks like you're working on this, adding [rtm need info] to the whiteboard.
Getting this approved soon seems like a Good Thing (TM) 
Whiteboard: [rtm need info]

Comment 4

18 years ago
r=mccabe, looks like a simple fix.
(Assignee)

Comment 5

18 years ago
Marking rtm+ in anticipation of sr= from Hyatt.
Whiteboard: [rtm need info] → [rtm+]

Comment 6

18 years ago
a=hyatt

Comment 7

18 years ago
This bug is in candidate limbo.  We will reconsider this fix once we have a
candidate in hand, but we can't take this fix before then. Please check into the
trunk ASAP.

Updated

18 years ago
QA Contact: czhang → junruh
(Assignee)

Comment 8

18 years ago
Adding InLimbo to status so this doesn't get overlooked.
Whiteboard: [rtm+] → [rtm+][InLimbo-OOH]

Comment 9

18 years ago
rtm++, please checkin ASAP so we can build today.
Whiteboard: [rtm+][InLimbo-OOH] → [rtm++][InLimbo-OOH]
(Assignee)

Comment 10

18 years ago
Fix checked in.
Status: ASSIGNED → RESOLVED
Last Resolved: 18 years ago
Resolution: --- → FIXED

Comment 11

18 years ago
Verified on Win, Mac and Linux branch 11/3 builds.
Keywords: vtrunk

Comment 12

18 years ago
Mass changing QA to ckritzer.
QA Contact: junruh → ckritzer

Comment 13

17 years ago
Marking VERIFIED FIXED per:
------- Additional Comments From junruh@netscape.com 2000-11-03 13:30 -------

Verified on Win, Mac and Linux branch 11/3 builds.
Status: RESOLVED → VERIFIED
(Assignee)

Updated

17 years ago
Group: netscapeconfidential?
You need to log in before you can comment on or make changes to this bug.