Closed Bug 827193 (CVE-2013-0774) Opened 7 years ago Closed 7 years ago

disclosure of profile directory name in JavaScript variable visible to Workers

Categories

(Core :: DOM: Workers, defect)

defect
Not set

Tracking

()

RESOLVED FIXED
mozilla21
Tracking Status
firefox17 --- wontfix
firefox18 - wontfix
firefox19 + fixed
firefox20 + fixed
firefox21 --- fixed
firefox-esr17 19+ fixed
b2g18 19+ fixed
b2g18-v1.0.0 --- wontfix

People

(Reporter: freddyb, Assigned: Gavin)

References

Details

(Keywords: privacy, sec-moderate, Whiteboard: [adv-main19+][adv-esr1703+])

Attachments

(3 files)

Attached file PoC html file
The variable "OS" in a Web Workers scope contains some peculiar information, among them:

OS['Constants']['Path']['profileDir'], which is the full path to the firefox profile directory, e.g. "/home/freddy/.mozilla/firefox/6efxvygfz.default". 

I know that the path name contains these random characters for security reasons. Although a quick search revealed no easy way to turn this path disclosure into a serious exploit I suppose it still poses a security risk.

If this is wrong, please uncheck the security-confidential flag.

I will attach a simple test case that explains the issue.
Attached file PoC JS file
The PoC HTMl file references the JS file which as to be in the same directory. Hence, this PoC doesn't work on bugzilla but has to be downloaded.
This seems to have been introduced by http://hg.mozilla.org/mozilla-central/rev/1bbc0b65dffb#l39.1.

"fix build warnings"? o_O
Blocks: 743573
Sorry, I misread that. http://hg.mozilla.org/mozilla-central/diff/685e5580a1f4/dom/workers/WorkerScope.cpp just put the parenthesis at the wrong place.
Blocks: 739740
No longer blocks: 743573
Attached patch patchSplinter Review
Assignee: nobody → gavin.sharp
Status: NEW → ASSIGNED
Attachment #698518 - Flags: review?(khuey)
Comment on attachment 698518 [details] [diff] [review]
patch

[Approval Request Comment]
Bug caused by (feature/regressing bug #): present since introduction of the feature in Firefox 15 (bug 739740)
User impact if declined: privacy leak, potential security risk if combined with other bugs
Testing completed (on m-c, etc.): none
Risk to taking this patch (and alternatives if risky): it's a simple change of logic to match what was originally intended, very low risk
String or UUID changes made by this patch: none
Attachment #698518 - Flags: approval-mozilla-beta?
Attachment #698518 - Flags: approval-mozilla-aurora?
Comment on attachment 698518 [details] [diff] [review]
patch

[Approval Request Comment]
If this is not a sec:{high,crit} bug, please state case for ESR consideration: I think the privacy impact/risk ratio is high enough that this merits landing on ESR for the next release as well.

See comment 7 for the rest of the risk analysis.
Attachment #698518 - Flags: approval-mozilla-esr17?
Comment on attachment 698518 [details] [diff] [review]
patch

This impacts b2g as well, but I'm not confident about what the current b2g18 policy is.
Attachment #698518 - Flags: approval-mozilla-b2g18?
Comment on attachment 698518 [details] [diff] [review]
patch

Let's wait until after 1/15 to land on B2G's branch.
Attachment #698518 - Flags: approval-mozilla-esr17?
Attachment #698518 - Flags: approval-mozilla-esr17+
Attachment #698518 - Flags: approval-mozilla-beta?
Attachment #698518 - Flags: approval-mozilla-beta+
Attachment #698518 - Flags: approval-mozilla-aurora?
Attachment #698518 - Flags: approval-mozilla-aurora+
https://hg.mozilla.org/mozilla-central/rev/e370fc6fae8e
Status: ASSIGNED → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Still waiting to take patches for 1.0.1 as per https://wiki.mozilla.org/Release_Management/B2G_Landing we'll be opening mozilla-b2g18 up for landings after 1/25 so leaving the nomination.
Comment on attachment 698518 [details] [diff] [review]
patch

This can now be landed mozilla-b2g18, which is currently v1.0.1.
Attachment #698518 - Flags: approval-mozilla-b2g18? → approval-mozilla-b2g18+
Flags: in-testsuite? → in-testsuite+
Whiteboard: [adv-main19+][adv-esr1703+]
Alias: CVE-2013-0774
Group: core-security
You need to log in before you can comment on or make changes to this bug.