Closed
Bug 614193
Opened 14 years ago
Closed 14 years ago
Token is needed to prevent addons direct download
Categories
(addons.mozilla.org Graveyard :: Public Pages, defect)
addons.mozilla.org Graveyard
Public Pages
Tracking
(Not tracked)
RESOLVED
INVALID
People
(Reporter: ervistusha, Unassigned)
Details
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.12) Gecko/20101027 Ubuntu/10.10 (maverick) Firefox/3.6.12
Build Identifier:
<html>
<head>
<title></title>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<iframe src="https://addons.mozilla.org/firefox/downloads/latest/7684/addon-7684-latest.xpi?src=homepagebrowse" width="0%" height="0" frameborder="0"></iframe>
Website content goes here
</body>
</html>
Reproducible: Always
Steps to Reproduce:
Scenarios:
1. Attacker create and upload malware addons at addons.mozilla.org
2. Social engineering the victim to go to his site
3. Force victim to download the malware addons
Note:A lot of big site are vulnerable with stored XSS
Reporter | ||
Updated•14 years ago
|
Summary: Token is needed to stop addons direct download → Token is needed to prevent addons direct download
Comment 1•14 years ago
|
||
The problem here is having malware on the site, which our reviewers and users should find and remove quickly. Tokens won't work in a situation like this as add-ons are pushed to the release mirrors anyway.
Status: UNCONFIRMED → RESOLVED
Closed: 14 years ago
Resolution: --- → INVALID
Comment 2•14 years ago
|
||
How is this any different than adding a link to a .xpi stored on any other server (such as the attacker's site)? The prompt blocking will be performed based on framing page, not on the fact that your frame contents come from AMO.
If this worked for you in testing it's because you loaded your test page from a file:// URL which is an allowed source to ask users to install software. If you inject that frame in some other remote site the prompt will be blocked (with an "allow" infobar) as usual. To pull this off you need an XSS in AMO itself, in which case that's already all you need.
Updated•14 years ago
|
Group: client-services-security
Assignee | ||
Updated•9 years ago
|
Product: addons.mozilla.org → addons.mozilla.org Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•