Closed
Bug 645639
Opened 14 years ago
Closed 14 years ago
snippet details URL is not secure, can spoof major updates
Categories
(Mozilla Messaging Graveyard :: Release Engineering, defect, P2)
Mozilla Messaging Graveyard
Release Engineering
Tracking
(blocking-thunderbird3.1 .10+, thunderbird3.1 .10-fixed)
RESOLVED
FIXED
People
(Reporter: standard8, Assigned: gozer)
References
()
Details
(Whiteboard: [non-code])
Attachments
(2 files)
|
2.02 KB,
patch
|
jhopkins
:
review+
|
Details | Diff | Splinter Review |
|
517 bytes,
patch
|
jhopkins
:
review+
|
Details | Diff | Splinter Review |
+++ This bug was initially created as a clone of Bug #645551 +++
The major update UI displays the contents of the detailURL attribute in the update snippets. We've sandboxed the content to prevent scripts etc, but we appear to load it from an http:// url which is not secure. This means a MITM could easily replace that content. results could be simply a spoof ("click this link" to a non-mozilla site), or the content could redirect (or better, meta refresh) to a URL serving an exe, prompting the user to download a trojan.
Pointed out by Aaron Sigel
https://twitter.com/#!/diretraversal/status/52107274294018048
|
Assignee | |
Comment 1•14 years ago
|
||
We should do all the changes that have been done in Bug #645551, but I am not sure that really makes us any safer.
After all, in the end, you end up making http:// requests to bouncer and download the update via http:// from a mirror, so you could MITM that instead.
|
|
Assignee | |
Comment 2•14 years ago
|
||
(In reply to comment #1)
> We should do all the changes that have been done in Bug #645551, but I am not
> sure that really makes us any safer.
>
> After all, in the end, you end up making http:// requests to bouncer and
> download the update via http:// from a mirror, so you could MITM that instead.
Wish I could undo a bug comment. This is incorrect on my part, since the original AUS request was over SSL *and* included sizes+checksums, a rogue (or MITM) mirror would simply just get ignored as an invalid update.
So, let's just update our configuration for this.
|
|
Assignee | |
Comment 3•14 years ago
|
||
|
|
Assignee | |
Comment 4•14 years ago
|
||
|
|
Assignee | |
Updated•14 years ago
|
Attachment #522403 -
Flags: review?(john.hopkins)
|
|
Assignee | |
Updated•14 years ago
|
Attachment #522404 -
Flags: review?(john.hopkins)
|
||
Updated•14 years ago
|
Attachment #522403 -
Flags: review?(john.hopkins) → review+
|
|
||
Updated•14 years ago
|
Attachment #522404 -
Flags: review?(john.hopkins) → review+
|
Reporter | |
Updated•14 years ago
|
blocking-thunderbird3.1: --- → .10+
Whiteboard: [non-code]
|
|
||
Comment 5•14 years ago
|
||
HG commit:
https://hg.mozilla.org/build/tools/rev/1a4da595fcce
CVS commit:
Checking in moz19-thunderbird-branch-major-update-patcher2.cfg;
/cvsroot/mozilla/tools/patcher-configs/moz19-thunderbird-branch-major-update-patcher2.cfg,v <-- moz19-thunderbird-branch-major-update-patcher2.cfg
new revision: 1.26; previous revision: 1.25
done
Checking in moz192-thunderbird-branch-major-update-patcher2.cfg;
/cvsroot/mozilla/tools/patcher-configs/moz192-thunderbird-branch-major-update-patcher2.cfg,v <-- moz192-thunderbird-branch-major-update-patcher2.cfg
new revision: 1.18; previous revision: 1.17
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
|
|
Reporter | |
Updated•14 years ago
|
Assignee: nobody → gozer
status-thunderbird3.1:
--- → .10-fixed
You need to log in
before you can comment on or make changes to this bug.
Description
•