Closed Bug 59208 Opened 23 years ago Closed 23 years ago

Can enumerate properties of a window in another domain

Categories

(Core :: Security: CAPS, defect, P2)

Product:
Core
Component:
Security: CAPS
Platform:
x86
Windows 98
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla0.9.4

People

(Reporter: jruderman, Assigned: security-bugs)

References

Details

(Keywords: csectype-disclosure, csectype-sop, sec-low, Whiteboard: patch)

Attachments

(4 files)

demonstration
944 bytes, text/html
Details
demonstration: page tells you whether you're logged into nytimes.com
2.39 KB, text/html
Details
Patch take 1 - crashes.
3.00 KB, patch
Details | Diff | Splinter Review
Patch v2 - still crashes when the enumeration is destroyed. See bug 97555.
2.82 KB, patch
asa
: approval+
Details | Diff | Splinter Review 
1. Load attachment
2 [details] [diff] [review]. Hit "open calculator"
3. Hit "list properties"

Result: all enumerable properties of the new window are listed, including 
variables and functions on the calculator page (such as htmlEscape and pi).

4. Type nuclearBombOutput=30+10 into the calculator
5. Hit the "list properties" button again

Result: the string nuclearBombOutput (but not its value, 40) is available to 
the first window.


I don't think you'd be able to steal passwords or cookies using this trick, but 
you could probably tell whether the user has an account at some sites, or tell 
whether they're doing anything in the new window.  You can tell whether the 
user uses a bookmarklet in the new window, if the bookmarklet sets variables 
when it is used.

I haven't tested this with frames (instead of window.open).
Attached file demonstration 

    
    

    
  
NS 4.75 is vulnerable to this attack; IE says access denied.

    
    

    
  
Looks to me like you can enumerate the properties of the Window object but not
any sub-properties, and you can't actually read the value of any of those
properties. The only information leakage I see is being able to tell the names
of window-global vars defined by scripts on that page, and this is minor. Am I
missing something?

I think the solution, if we wanted to fix this, would be to apply
CheckScriptAccesss to the for - in statement, so that if you can't read the
value of a property, you can't enumerate it either. I'm not sure this is worth
the work it would require, but if you disagree then please give me reasons, or
better still, send me a patch.
Status: NEW → ASSIGNED
Target Milestone: --- → Future

    
    

    
  
Right, this just lets you look at global variables on the page.  The check 
would have to happen in propertyIsEnumerable and other similar functions as 
well as in for-in loops.

    
    

    
  
Mass changing QA to ckritzer.
QA Contact: junruh → ckritzer

    
    

    
  
Wontfix unless someone (Jesse?) demonstrates that this is more dangerous than it
appears to me right now. I don't think there's a major information leak here.
Status: ASSIGNED → RESOLVED
Closed: 23 years ago
Resolution: --- → WONTFIX

    
    

    
  
Reopening.  I can quietly find out whether a visitor to my site is logged into 
any site that does all of the following:

1. uses login cookies;
2. shows a different page, or redirects to a different page, iff you're not 
logged in;
3. has different (global) javascript functions on the "please log in" page and 
the normal page.
Status: RESOLVED → REOPENED
Resolution: WONTFIX → ---

    
    

    
  
Un-futuring since I reopened this bug.
Target Milestone: Future → ---

    
    

    
  
Mass adding mozilla0.9 keyword (mass changing milestone doesn't seem to work).
Status: REOPENED → ASSIGNED
Keywords: mozilla0.9

    
    

    
  
Mass changing milestone to Moz1.0 - stuff targeted for late spring/early summer.
Target Milestone: --- → mozilla1.0

    
    

    
  
Target is now 0.9.4, Priority P2.
Priority: P3 → P2
Target Milestone: mozilla1.0 → mozilla0.9.4

    
  
Depends on: 97555

    
    

    
  
We have a fix for 97555. If this patch and the ones in that bug are checked in
concurrently, we'll be golden.
Whiteboard: patch

    
    

    
  
sr=jband

This looks right to me. I suggest you get a review from jst to confirm that this
fits his scheme.

    
    

    
  
Add a space before 'if' at:

-  NS_ERROR("Don't call me!");
+ if (!sSecMan)
+    return NS_OK;

and I'm ok with this, r=jst

    
  

        Attachment #47608 -
        Flags: approval+

    
    

    
  
Comment on attachment 47608 [details] [diff] [review]
Patch v2 - still crashes when the enumeration is destroyed. See bug 97555.

a=asa on behalf of drivers

    
    

    
  
Fixed.
Status: ASSIGNED → RESOLVED
Closed: 23 years ago23 years ago
Resolution: --- → FIXED

    
    

    
  
Verified on
build: 2001-09-13-0.9.4
platform: Win NT

Both the test attachments work as expected.
1. http://bugzilla.mozilla.org/showattachment.cgi?attach_id=18769
For above test, when clicked on the "list properties" an error is written is the
JS console "Error: uncaught exception: Permission denied to get property
Window.enumerateProperties". And on the 1st window only name "ObjectWindow" appears.
2. http://bugzilla.mozilla.org/showattachment.cgi?attach_id=20957
For above test, error message appears on the browser window where the nytimes
page is loaded, "Got error while trying to enumerate propeties of nytArticle:
Permission denied to get property Window.enumerateProperties".
Status: RESOLVED → VERIFIED

    
  
Keywords: csec-disclosure, 
          
            csec-sop, 
          
            sec-low

          You need to log in
          before you can comment on or make changes to this bug.