Closed
Bug 622012
Opened 15 years ago
Closed 1 year ago
News uris allow you to execute arbitrary commands on server
Categories
(MailNews Core :: Networking: NNTP, defect)
MailNews Core
Networking: NNTP
Tracking
(Not tracked)
RESOLVED
WORKSFORME
People
(Reporter: jcranmer, Unassigned)
Details
(Keywords: sec-audit)
If you have an email with an image with the following href:
<news://news.mozilla.org/mozilla.dev.apps.thunderbird?search/CAPABILITIES>, CAPABILITIES will be executed on the server. You can also click on a link with the same href to execute the command.
The best way to fix this would probably be to rewrite the search URI semantics to not execute the actual command.
I don't know if this is security-sensitive or not, though.
|
||
Comment 1•15 years ago
|
||
Is that syntax for news:// new? or have we always exposed servers this way?
|
Reporter | |
Comment 2•15 years ago
|
||
The ?search has been around for a very long time, if that is what you are asking:
<http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/mailnews/news/src/nsNNTPProtocol.cpp&rev=1.1&mark=2755-2794#2755>.
|
||
Comment 3•15 years ago
|
||
I don't think it should stay security sensitive as it' not an attack vector at least for tb. Could it be used as way to attack servers ?
|
|
||
Comment 4•15 years ago
|
||
If it's a problem for the server then it seems they'd be open to attack from custom (malicious) clients, in which case the worst might be recruiting unwitting MailNews users into a distributed attack on the server.
Won't servers have to already protect against this if it's a problem?
Whiteboard: [sg:needinfo]
|
|
Reporter | |
Comment 5•15 years ago
|
||
To clarify the situation: the news: URI that causes this problem is an extension of core mailnews to the official standard (RFC 5538)--the URI documents do not do anything with query portions except to note that it sometimes serves internal purposes.
|
|
||
Updated•12 years ago
|
Group: mail-core-security
|
|
||
Updated•12 years ago
|
Group: mail-core-security
|
||
Updated•10 years ago
|
Group: core-security → mail-core-security
|
|
||
Updated•7 years ago
|
|
||
Comment 6•6 years ago
|
||
I don't understand why this is an issue in Thunderbird.
Servers should protect themselves.
Does this bug suggest that TB shouldn't execute queries that could trigger bad behavior on an NNTP server?
Flags: needinfo?(Pidgeot18)
|
|
Reporter | |
Comment 7•6 years ago
|
||
What would fix this bug would be to change the handling of search URIs to not put the entire command in the URI parameter. Or kill the URL-based state machine altogether, but that's rather more invasive.
Flags: needinfo?(Pidgeot18)
|
|
||
Updated•3 years ago
|
Severity: normal → S3
|
||
Comment 8•1 year ago
•
|
||
The way 'news:' URIs are now handled, this doesn't seem to be possible anymore. See MailUtils.handleNewsUri() and BaseMessageService.getUrlForUri().
Status: NEW → RESOLVED
Closed: 1 year ago
Resolution: --- → WORKSFORME
|
|
||
Comment 9•1 year ago
|
||
nsINntpUrl::ActionSearch is basically unused now, since a server search is started directly without such a URL, see BaseMessageService.search().
You need to log in
before you can comment on or make changes to this bug.
Description
•