Last Comment Bug 721398 - (CVE-2012-0476) moz-page-thumb protocol should not be accessible from a web page
(CVE-2012-0476)
: moz-page-thumb protocol should not be accessible from a web page
Status: VERIFIED FIXED
[sg:moderate][qa+]
: privacy
Product: Firefox
Classification: Client Software
Component: General (show other bugs)
: 12 Branch
: All All
: -- normal (vote)
: Firefox 12
Assigned To: Nobody; OK to take it and work on it
:
:
Mentors:
: 721408 (view as bug list)
Depends on:
Blocks: 497543 721422
  Show dependency treegraph
 
Reported: 2012-01-26 08:05 PST by teramako
Modified: 2012-04-20 12:33 PDT (History)
10 users (show)
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---
unaffected
+
verified
unaffected


Attachments
page owner can know URLs are visited in past using img.onerror (1.39 KB, text/html)
2012-01-26 08:05 PST, teramako
no flags Details
patch v1 (1.42 KB, patch)
2012-01-26 09:05 PST, Tim Taubert [:ttaubert]
mak77: review+
Details | Diff | Splinter Review

Description teramako 2012-01-26 08:05:39 PST
Created attachment 591804 [details]
page owner can know URLs are visited in past using img.onerror

User Agent: Mozilla/5.0 (Windows NT 5.1; rv:12.0a1) Gecko/20120126 Firefox/12.0a1
Build ID: 20120126031113

Steps to reproduce:

moz-page-thumb://thumbnail?url=.... can access from a web page.
It should access only in privileged site for security and privacy reason.

If can access on a web page, evil site owner can know that the user accessed or not the URL in past.
Comment 1 Benjamin Smedberg [:bsmedberg] 2012-01-26 08:26:54 PST
Reported publicly in bug 721408, I'm going to open this up. It means we should fix immediately or back out bug 497543.
Comment 2 Benjamin Smedberg [:bsmedberg] 2012-01-26 08:29:04 PST
*** Bug 721408 has been marked as a duplicate of this bug. ***
Comment 3 Tim Taubert [:ttaubert] 2012-01-26 08:38:54 PST
(In reply to Benjamin Smedberg  [:bsmedberg] from comment #1)
> Reported publicly in bug 721408, I'm going to open this up. It means we
> should fix immediately or back out bug 497543.

Going to push the fix in a minute.
Comment 4 Tim Taubert [:ttaubert] 2012-01-26 09:05:50 PST
Created attachment 591820 [details] [diff] [review]
patch v1
Comment 5 Marco Bonardo [::mak] 2012-01-26 09:09:22 PST
Comment on attachment 591820 [details] [diff] [review]
patch v1

Review of attachment 591820 [details] [diff] [review]:
-----------------------------------------------------------------

::: browser/components/thumbnails/Makefile.in
@@ +17,5 @@
>  EXTRA_PP_JS_MODULES = \
>  	PageThumbs.jsm \
>  	$(NULL)
>  
> +#ifdef ENABLE_TESTS

File a bug to fix the tests, add a comment pointing to that bug.
Comment 6 Tim Taubert [:ttaubert] 2012-01-26 09:33:30 PST
https://hg.mozilla.org/mozilla-central/rev/7cdb5f5d38c6
Comment 7 Paul Silaghi, QA [:pauly] 2012-04-13 04:42:19 PDT
Could you please tell me how to test this ?
Comment 8 Tim Taubert [:ttaubert] 2012-04-13 04:45:57 PDT
You can open about:newtab and right-click to inspect the document. Now the .newtab-thumbnail elements have a background-image set. This should look like "moz-page-thumb://thumbnail?url=http%3A%2F%2Fwww.reddit.com%2F".

If you now create a custom web page like data:text/html,<img src="moz-page-thumb://thumbnail?url=http%3A%2F%2Fwww.reddit.com%2F"/> the image should be broken because it's a normal content web page (i.e. without chrome privs).
Comment 9 Virgil Dicu [:virgil] [QA] 2012-04-20 05:55:13 PDT
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:12.0) Gecko/20100101 Firefox/12.0
Mozilla/5.0 (Windows NT 6.1; rv:12.0) Gecko/20100101 Firefox/12.0
Mozilla/5.0 (X11; Linux i686; rv:12.0) Gecko/20100101 Firefox/12.0

Verified in Firefox 12 beta 6. The image is now broken when attempting to load it.
Comment 10 Al Billings [:abillings] 2012-04-20 12:33:06 PDT
Verified in trunk with Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:14.0) Gecko/20120418 Firefox/14.0a1.

Note You need to log in before you can comment on or make changes to this bug.