[Image-uploader] Vulnerability analysis issues

RESOLVED WONTFIX

Status

Firefox OS
Gaia
RESOLVED WONTFIX
6 years ago
5 months ago

People

(Reporter: GH to BZ, Unassigned)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [label:system])

(Reporter)

Description

6 years ago
[GitHub issue by mcjimenez on 2012-09-14T09:41:36Z, https://github.com/mozilla-b2g/gaia/issues/4730]
We have run an automated vulnerability analysis on the Gaia code. 
After manually filtering the results we have found the following possible issues on the image-uploader app:

* /js/ext/oauth.js 

On line 333 of oauth.js the program uses insecure Randomness. Standard pseudo-random number generators cannot withstand cryptographic attacks.

Aditionally we have two separate oauth implementations: this one and the one in the communications app. Wouldn't it be better to join them?

```html

331 var result = "";
332 for (var i = 0; i < length; ++i) {
333 var rnum = Math.floor(Math.random() * chars.length);
334 result += chars.substring(rnum, rnum+1);
335 }

```
Math.random function isn't cryptographically robust. It's very probable that two apps executing in paralell
will get exactly the same chain of pseudorandom values. For this use case, and since the random
values are used to calculate an OAuth nonce, the server could reject the petitions since it would
identify them as a repetition attack.
http://baagoe.org/en/w/index.php/Better_random_numbers_for_javascript.

* /js/image-uploader.js 

The method setStatus() in image-uploader.js sends unvalidated data to a web browser
on line 447, which can result in the browser executing malicious code.

```html
78 if (xhr.responseText.match(url + 'show/')) {
79 var re = new RegExp(url + 'show/(.*).html');
80 var ar = re.exec(xhr.responseText);
81 var pid = ar[1];
82 var up = ar[0];
83 setStatus('Uploaded successfully: ' + pid);
....
445 function setStatus(msg) {
446 showBannerStatus();
447 document.getElementById('uploaded').innerHTML = msg;
448 }

```
The value beging passed is read from a XMLHttpRequest invocation over which we have
no control (mozSystem: true ->It is not even be in the same domain)
(Reporter)

Comment 1

6 years ago
[GitHub comment by mcjimenez on 2012-09-15T09:54:36Z]
cc @AntonioMA

Comment 2

5 months ago
Firefox OS is not being worked on
Status: NEW → RESOLVED
Last Resolved: 5 months ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.