Closed
Bug 58021
Opened 25 years ago
Closed 25 years ago
Privileged code insertion with addPanel
Categories
(Core :: Security, defect, P3)
Core
Security
Tracking
()
VERIFIED
FIXED
People
(Reporter: security-bugs, Assigned: security-bugs)
References
()
Details
(Whiteboard: [rtm++][InLimbo-OOH])
Attachments
(1 file)
|
1014 bytes,
patch
|
Details | Diff | Splinter Review |
It is possible for a web script to run privileged code using
sidebar.addPanel("javascript: ... "), or potentially with a chrome: URL instead
of a javascript: URL. We should probably not allow sidebar panels to be
javascript: URLs, or else we should not give those urls the system principal.
The example above works on unix systems. It will execute /usr/bin/control-panel,
as an example. Change the 'executable' string in the script to C:\something.exe
to see this work on Windows.
The other possible scenario is asking the user do install an otherwise benign
skin, using the skin installer, which places some malicious .xul file somewhere
in the chrome directory. Then, the attacker convinces the user to click a link
which does an addPanel("chrome://navigator/skins/malicious.xul"), causing the
code in that malicious file to be run.
|
Assignee | |
Comment 1•25 years ago
|
||
This is critical for RTM, I think.
Status: NEW → ASSIGNED
Keywords: rtm
|
|
Assignee | |
Comment 2•25 years ago
|
||
|
||
Comment 3•25 years ago
|
||
Looks like you're working on this, adding [rtm need info] to the whiteboard.
Getting this approved soon seems like a Good Thing (TM)
Whiteboard: [rtm need info]
|
||
Comment 4•25 years ago
|
||
r=mccabe, looks like a simple fix.
|
|
Assignee | |
Comment 5•25 years ago
|
||
Marking rtm+ in anticipation of sr= from Hyatt.
Whiteboard: [rtm need info] → [rtm+]
|
||
Comment 6•25 years ago
|
||
a=hyatt
|
||
Comment 7•25 years ago
|
||
This bug is in candidate limbo. We will reconsider this fix once we have a
candidate in hand, but we can't take this fix before then. Please check into the
trunk ASAP.
|
||
Updated•25 years ago
|
QA Contact: czhang → junruh
|
|
Assignee | |
Comment 8•25 years ago
|
||
Adding InLimbo to status so this doesn't get overlooked.
Whiteboard: [rtm+] → [rtm+][InLimbo-OOH]
|
|
||
Comment 9•25 years ago
|
||
rtm++, please checkin ASAP so we can build today.
Whiteboard: [rtm+][InLimbo-OOH] → [rtm++][InLimbo-OOH]
|
|
Assignee | |
Comment 10•25 years ago
|
||
Fix checked in.
Status: ASSIGNED → RESOLVED
Closed: 25 years ago
Resolution: --- → FIXED
|
||
Comment 13•24 years ago
|
||
Marking VERIFIED FIXED per:
------- Additional Comments From junruh@netscape.com 2000-11-03 13:30 -------
Verified on Win, Mac and Linux branch 11/3 builds.
Status: RESOLVED → VERIFIED
|
|
Assignee | |
Updated•24 years ago
|
Group: netscapeconfidential?
You need to log in
before you can comment on or make changes to this bug.
Description
•