Can enumerate properties of a window in another domain

VERIFIED FIXED in mozilla0.9.4

Status

()

P2
normal
VERIFIED FIXED
18 years ago
5 years ago

People

(Reporter: jruderman, Assigned: security-bugs)

Tracking

({csectype-disclosure, csectype-sop, sec-low})

Trunk
mozilla0.9.4
x86
Windows 98
csectype-disclosure, csectype-sop, sec-low
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: patch)

Attachments

(4 attachments)

(Reporter)

Description

18 years ago
1. Load attachment
2 [details] [diff] [review]. Hit "open calculator"
3. Hit "list properties"

Result: all enumerable properties of the new window are listed, including 
variables and functions on the calculator page (such as htmlEscape and pi).

4. Type nuclearBombOutput=30+10 into the calculator
5. Hit the "list properties" button again

Result: the string nuclearBombOutput (but not its value, 40) is available to 
the first window.


I don't think you'd be able to steal passwords or cookies using this trick, but 
you could probably tell whether the user has an account at some sites, or tell 
whether they're doing anything in the new window.  You can tell whether the 
user uses a bookmarklet in the new window, if the bookmarklet sets variables 
when it is used.

I haven't tested this with frames (instead of window.open).
(Reporter)

Comment 1

18 years ago
Created attachment 18769 [details]
demonstration
(Reporter)

Comment 2

18 years ago
NS 4.75 is vulnerable to this attack; IE says access denied.
(Assignee)

Comment 3

18 years ago
Looks to me like you can enumerate the properties of the Window object but not
any sub-properties, and you can't actually read the value of any of those
properties. The only information leakage I see is being able to tell the names
of window-global vars defined by scripts on that page, and this is minor. Am I
missing something?

I think the solution, if we wanted to fix this, would be to apply
CheckScriptAccesss to the for - in statement, so that if you can't read the
value of a property, you can't enumerate it either. I'm not sure this is worth
the work it would require, but if you disagree then please give me reasons, or
better still, send me a patch.
Status: NEW → ASSIGNED
Target Milestone: --- → Future
(Reporter)

Comment 4

18 years ago
Right, this just lets you look at global variables on the page.  The check 
would have to happen in propertyIsEnumerable and other similar functions as 
well as in for-in loops.

Comment 5

18 years ago
Mass changing QA to ckritzer.
QA Contact: junruh → ckritzer
(Assignee)

Comment 6

18 years ago
Wontfix unless someone (Jesse?) demonstrates that this is more dangerous than it
appears to me right now. I don't think there's a major information leak here.
Status: ASSIGNED → RESOLVED
Last Resolved: 18 years ago
Resolution: --- → WONTFIX
(Reporter)

Comment 7

18 years ago
Created attachment 20957 [details]
demonstration: page tells you whether you're logged into nytimes.com
(Reporter)

Comment 8

18 years ago
Reopening.  I can quietly find out whether a visitor to my site is logged into 
any site that does all of the following:

1. uses login cookies;
2. shows a different page, or redirects to a different page, iff you're not 
logged in;
3. has different (global) javascript functions on the "please log in" page and 
the normal page.
Status: RESOLVED → REOPENED
Resolution: WONTFIX → ---
(Reporter)

Comment 9

18 years ago
Un-futuring since I reopened this bug.
Target Milestone: Future → ---
(Assignee)

Comment 10

18 years ago
Mass adding mozilla0.9 keyword (mass changing milestone doesn't seem to work).
Status: REOPENED → ASSIGNED
Keywords: mozilla0.9
(Assignee)

Comment 11

18 years ago
Mass changing milestone to Moz1.0 - stuff targeted for late spring/early summer.
Target Milestone: --- → mozilla1.0
(Assignee)

Comment 12

17 years ago
Target is now 0.9.4, Priority P2.
Priority: P3 → P2
Target Milestone: mozilla1.0 → mozilla0.9.4
(Assignee)

Comment 13

17 years ago
Created attachment 47411 [details] [diff] [review]
Patch take 1 - crashes.
(Assignee)

Comment 14

17 years ago
Created attachment 47608 [details] [diff] [review]
Patch v2 - still crashes when the enumeration is destroyed. See bug 97555.

Updated

17 years ago
Depends on: 97555
(Assignee)

Comment 15

17 years ago
We have a fix for 97555. If this patch and the ones in that bug are checked in
concurrently, we'll be golden.
Whiteboard: patch

Comment 16

17 years ago
sr=jband

This looks right to me. I suggest you get a review from jst to confirm that this
fits his scheme.
Add a space before 'if' at:

-  NS_ERROR("Don't call me!");
+ if (!sSecMan)
+    return NS_OK;

and I'm ok with this, r=jst

Updated

17 years ago
Attachment #47608 - Flags: approval+

Comment 18

17 years ago
Comment on attachment 47608 [details] [diff] [review]
Patch v2 - still crashes when the enumeration is destroyed. See bug 97555.

a=asa on behalf of drivers
(Assignee)

Comment 19

17 years ago
Fixed.
Status: ASSIGNED → RESOLVED
Last Resolved: 18 years ago17 years ago
Resolution: --- → FIXED

Comment 20

17 years ago
Verified on
build: 2001-09-13-0.9.4
platform: Win NT

Both the test attachments work as expected.
1. http://bugzilla.mozilla.org/showattachment.cgi?attach_id=18769
For above test, when clicked on the "list properties" an error is written is the
JS console "Error: uncaught exception: Permission denied to get property
Window.enumerateProperties". And on the 1st window only name "ObjectWindow" appears.
2. http://bugzilla.mozilla.org/showattachment.cgi?attach_id=20957
For above test, error message appears on the browser window where the nytimes
page is loaded, "Got error while trying to enumerate propeties of nytArticle:
Permission denied to get property Window.enumerateProperties".
Status: RESOLVED → VERIFIED
(Reporter)

Updated

5 years ago
Keywords: csec-disclosure, csec-sop, sec-low
You need to log in before you can comment on or make changes to this bug.