Bug 721398 (CVE-2012-0476)

moz-page-thumb protocol should not be accessible from a web page

VERIFIED FIXED in Firefox 12

Status

()

Firefox
General
VERIFIED FIXED
6 years ago
5 years ago

People

(Reporter: teramako, Unassigned)

Tracking

({privacy})

12 Branch
Firefox 12
privacy
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox11 unaffected, firefox12+ verified, firefox-esr10 unaffected)

Details

(Whiteboard: [sg:moderate][qa+])

Attachments

(2 attachments)

(Reporter)

Description

6 years ago
Created attachment 591804 [details]
page owner can know URLs are visited in past using img.onerror

User Agent: Mozilla/5.0 (Windows NT 5.1; rv:12.0a1) Gecko/20120126 Firefox/12.0a1
Build ID: 20120126031113

Steps to reproduce:

moz-page-thumb://thumbnail?url=.... can access from a web page.
It should access only in privileged site for security and privacy reason.

If can access on a web page, evil site owner can know that the user accessed or not the URL in past.
Attachment #591804 - Attachment mime type: text/plain → text/html
Reported publicly in bug 721408, I'm going to open this up. It means we should fix immediately or back out bug 497543.
Group: core-security
Component: Untriaged → Places
Product: Firefox → Toolkit
QA Contact: untriaged → places
Whiteboard: [sg:high]
Assignee: nobody → ttaubert
Blocks: 497543
status-firefox11: --- → unaffected
status-firefox12: --- → affected
tracking-firefox12: --- → +
Duplicate of this bug: 721408
(In reply to Benjamin Smedberg  [:bsmedberg] from comment #1)
> Reported publicly in bug 721408, I'm going to open this up. It means we
> should fix immediately or back out bug 497543.

Going to push the fix in a minute.
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Created attachment 591820 [details] [diff] [review]
patch v1
Attachment #591820 - Flags: review?(mak77)
Comment on attachment 591820 [details] [diff] [review]
patch v1

Review of attachment 591820 [details] [diff] [review]:
-----------------------------------------------------------------

::: browser/components/thumbnails/Makefile.in
@@ +17,5 @@
>  EXTRA_PP_JS_MODULES = \
>  	PageThumbs.jsm \
>  	$(NULL)
>  
> +#ifdef ENABLE_TESTS

File a bug to fix the tests, add a comment pointing to that bug.
Attachment #591820 - Flags: review?(mak77) → review+

Updated

6 years ago
Assignee: ttaubert → nobody
Component: Places → General
Product: Toolkit → Firefox
QA Contact: places → general
https://hg.mozilla.org/mozilla-central/rev/7cdb5f5d38c6
Blocks: 721422
Status: ASSIGNED → RESOLVED
Last Resolved: 6 years ago
OS: Windows XP → All
Hardware: x86 → All
Resolution: --- → FIXED
Summary: moz-page-thumb protocol should not access from a web page → moz-page-thumb protocol should not be accessible from a web page
Target Milestone: --- → Firefox 12

Updated

6 years ago
status-firefox12: affected → ---

Updated

6 years ago
status-firefox12: --- → fixed
Whiteboard: [sg:high] → [sg:high][qa+]
Could you please tell me how to test this ?
You can open about:newtab and right-click to inspect the document. Now the .newtab-thumbnail elements have a background-image set. This should look like "moz-page-thumb://thumbnail?url=http%3A%2F%2Fwww.reddit.com%2F".

If you now create a custom web page like data:text/html,<img src="moz-page-thumb://thumbnail?url=http%3A%2F%2Fwww.reddit.com%2F"/> the image should be broken because it's a normal content web page (i.e. without chrome privs).
Alias: CVE-2012-0476
status-firefox-esr10: --- → unaffected
Keywords: privacy
Whiteboard: [sg:high][qa+] → [sg:moderate][qa+]
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:12.0) Gecko/20100101 Firefox/12.0
Mozilla/5.0 (Windows NT 6.1; rv:12.0) Gecko/20100101 Firefox/12.0
Mozilla/5.0 (X11; Linux i686; rv:12.0) Gecko/20100101 Firefox/12.0

Verified in Firefox 12 beta 6. The image is now broken when attempting to load it.
status-firefox12: fixed → verified
Verified in trunk with Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:14.0) Gecko/20120418 Firefox/14.0a1.
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.