Closed Bug 721398 (CVE-2012-0476) Opened 13 years ago Closed 13 years ago

moz-page-thumb protocol should not be accessible from a web page

Categories

(Firefox :: General, defect)

Product:
Firefox
Component:
General
Version:
12 Branch
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
VERIFIED FIXED
Milestone:
Firefox 12
Tracking Flags:
Tracking Status
firefox11 --- unaffected
firefox12 + verified
firefox-esr10 --- unaffected

People

(Reporter: teramako, Unassigned)

References

Details

(Keywords: privacy, Whiteboard: [sg:moderate][qa+])

Attachments

(2 files)

page owner can know URLs are visited in past using img.onerror
1.39 KB, text/html
Details
patch v1
1.42 KB, patch
mak
: review+
Details | Diff | Splinter Review
User Agent: Mozilla/5.0 (Windows NT 5.1; rv:12.0a1) Gecko/20120126 Firefox/12.0a1 Build ID: 20120126031113 Steps to reproduce: moz-page-thumb://thumbnail?url=.... can access from a web page. It should access only in privileged site for security and privacy reason. If can access on a web page, evil site owner can know that the user accessed or not the URL in past.
Attachment #591804 - Attachment mime type: text/plain → text/html
Reported publicly in bug 721408, I'm going to open this up. It means we should fix immediately or back out bug 497543.
Group: core-security
Component: Untriaged → Places
Product: Firefox → Toolkit
QA Contact: untriaged → places
Whiteboard: [sg:high]
Assignee: nobody → ttaubert
Blocks: 497543
status-firefox11: --- → unaffected
status-firefox12: --- → affected
tracking-firefox12: --- → +
(In reply to Benjamin Smedberg [:bsmedberg] from comment #1) > Reported publicly in bug 721408, I'm going to open this up. It means we > should fix immediately or back out bug 497543. Going to push the fix in a minute.
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Attached patch patch v1Splinter Review
Attachment #591820 - Flags: review?(mak77)
Comment on attachment 591820 [details] [diff] [review] patch v1 Review of attachment 591820 [details] [diff] [review]: ----------------------------------------------------------------- ::: browser/components/thumbnails/Makefile.in @@ +17,5 @@ > EXTRA_PP_JS_MODULES = \ > PageThumbs.jsm \ > $(NULL) > > +#ifdef ENABLE_TESTS File a bug to fix the tests, add a comment pointing to that bug.
Attachment #591820 - Flags: review?(mak77) → review+
Assignee: ttaubert → nobody
Component: Places → General
Product: Toolkit → Firefox
QA Contact: places → general
https://hg.mozilla.org/mozilla-central/rev/7cdb5f5d38c6
Blocks: 721422
Status: ASSIGNED → RESOLVED
Closed: 13 years ago
OS: Windows XP → All
Hardware: x86 → All
Resolution: --- → FIXED
Summary: moz-page-thumb protocol should not access from a web page → moz-page-thumb protocol should not be accessible from a web page
Target Milestone: --- → Firefox 12
Whiteboard: [sg:high] → [sg:high][qa+]
Could you please tell me how to test this ?
You can open about:newtab and right-click to inspect the document. Now the .newtab-thumbnail elements have a background-image set. This should look like "moz-page-thumb://thumbnail?url=http%3A%2F%2Fwww.reddit.com%2F". If you now create a custom web page like data:text/html,<img src="moz-page-thumb://thumbnail?url=http%3A%2F%2Fwww.reddit.com%2F"/> the image should be broken because it's a normal content web page (i.e. without chrome privs).
Alias: CVE-2012-0476
status-firefox-esr10: --- → unaffected
Keywords: privacy
Whiteboard: [sg:high][qa+] → [sg:moderate][qa+]
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:12.0) Gecko/20100101 Firefox/12.0 Mozilla/5.0 (Windows NT 6.1; rv:12.0) Gecko/20100101 Firefox/12.0 Mozilla/5.0 (X11; Linux i686; rv:12.0) Gecko/20100101 Firefox/12.0 Verified in Firefox 12 beta 6. The image is now broken when attempting to load it.
status-firefox12: fixedverified
Verified in trunk with Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:14.0) Gecko/20120418 Firefox/14.0a1.
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: