Closed
Bug 827193
(CVE-2013-0774)
Opened 12 years ago
Closed 12 years ago
disclosure of profile directory name in JavaScript variable visible to Workers
Categories
(Core :: DOM: Workers, defect)
Core
DOM: Workers
Tracking
()
People
(Reporter: freddy, Assigned: Gavin)
References
Details
(Keywords: privacy, sec-moderate, Whiteboard: [adv-main19+][adv-esr1703+])
Attachments
(3 files)
|
339 bytes,
text/html
|
Details | |
|
123 bytes,
application/javascript
|
Details | |
|
3.70 KB,
patch
|
khuey
:
review+
akeybl
:
approval-mozilla-aurora+
akeybl
:
approval-mozilla-beta+
akeybl
:
approval-mozilla-esr17+
akeybl
:
approval-mozilla-b2g18+
|
Details | Diff | Splinter Review |
The variable "OS" in a Web Workers scope contains some peculiar information, among them:
OS['Constants']['Path']['profileDir'], which is the full path to the firefox profile directory, e.g. "/home/freddy/.mozilla/firefox/6efxvygfz.default".
I know that the path name contains these random characters for security reasons. Although a quick search revealed no easy way to turn this path disclosure into a serious exploit I suppose it still poses a security risk.
If this is wrong, please uncheck the security-confidential flag.
I will attach a simple test case that explains the issue.
|
Reporter | |
Comment 1•12 years ago
|
||
|
|
Reporter | |
Comment 2•12 years ago
|
||
The PoC HTMl file references the JS file which as to be in the same directory. Hence, this PoC doesn't work on bugzilla but has to be downloaded.
|
Assignee | |
Comment 3•12 years ago
|
||
This seems to have been introduced by http://hg.mozilla.org/mozilla-central/rev/1bbc0b65dffb#l39.1.
"fix build warnings"? o_O
Blocks: 743573
|
|
Assignee | |
Updated•12 years ago
|
status-firefox17:
--- → wontfix
status-firefox18:
--- → wontfix
tracking-firefox19:
--- → ?
tracking-firefox20:
--- → ?
tracking-firefox-esr17:
--- → ?
|
|
Assignee | |
Updated•12 years ago
|
Keywords: privacy,
sec-moderate
|
|
Assignee | |
Comment 4•12 years ago
|
||
Sorry, I misread that. http://hg.mozilla.org/mozilla-central/diff/685e5580a1f4/dom/workers/WorkerScope.cpp just put the parenthesis at the wrong place.
|
|
Assignee | |
Comment 5•12 years ago
|
||
|
|
Assignee | |
Updated•12 years ago
|
tracking-firefox18:
--- → ?
Attachment #698518 -
Flags: review?(khuey) → review+
|
||
Updated•12 years ago
|
status-firefox19:
--- → affected
status-firefox20:
--- → affected
|
|
Assignee | |
Comment 6•12 years ago
|
||
Target Milestone: --- → mozilla21
|
|
Assignee | |
Comment 7•12 years ago
|
||
Comment on attachment 698518 [details] [diff] [review]
patch
[Approval Request Comment]
Bug caused by (feature/regressing bug #): present since introduction of the feature in Firefox 15 (bug 739740)
User impact if declined: privacy leak, potential security risk if combined with other bugs
Testing completed (on m-c, etc.): none
Risk to taking this patch (and alternatives if risky): it's a simple change of logic to match what was originally intended, very low risk
String or UUID changes made by this patch: none
Attachment #698518 -
Flags: approval-mozilla-beta?
Attachment #698518 -
Flags: approval-mozilla-aurora?
|
|
Assignee | |
Comment 8•12 years ago
|
||
Comment on attachment 698518 [details] [diff] [review]
patch
[Approval Request Comment]
If this is not a sec:{high,crit} bug, please state case for ESR consideration: I think the privacy impact/risk ratio is high enough that this merits landing on ESR for the next release as well.
See comment 7 for the rest of the risk analysis.
Attachment #698518 -
Flags: approval-mozilla-esr17?
|
|
Assignee | |
Comment 9•12 years ago
|
||
Comment on attachment 698518 [details] [diff] [review]
patch
This impacts b2g as well, but I'm not confident about what the current b2g18 policy is.
Attachment #698518 -
Flags: approval-mozilla-b2g18?
|
||
Updated•12 years ago
|
|
|
||
Comment 10•12 years ago
|
||
Comment on attachment 698518 [details] [diff] [review]
patch
Let's wait until after 1/15 to land on B2G's branch.
Attachment #698518 -
Flags: approval-mozilla-esr17?
Attachment #698518 -
Flags: approval-mozilla-esr17+
Attachment #698518 -
Flags: approval-mozilla-beta?
Attachment #698518 -
Flags: approval-mozilla-beta+
Attachment #698518 -
Flags: approval-mozilla-aurora?
Attachment #698518 -
Flags: approval-mozilla-aurora+
|
|
Assignee | |
Comment 11•12 years ago
|
||
|
||
Comment 12•12 years ago
|
||
Status: ASSIGNED → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
|
||
Comment 13•12 years ago
|
||
Still waiting to take patches for 1.0.1 as per https://wiki.mozilla.org/Release_Management/B2G_Landing we'll be opening mozilla-b2g18 up for landings after 1/25 so leaving the nomination.
|
|
||
Comment 14•12 years ago
|
||
Comment on attachment 698518 [details] [diff] [review]
patch
This can now be landed mozilla-b2g18, which is currently v1.0.1.
Attachment #698518 -
Flags: approval-mozilla-b2g18? → approval-mozilla-b2g18+
|
||
Comment 15•12 years ago
|
||
|
|
||
Updated•12 years ago
|
Flags: in-testsuite? → in-testsuite+
|
||
Updated•12 years ago
|
Whiteboard: [adv-main19+][adv-esr1703+]
|
|
||
Updated•12 years ago
|
Alias: CVE-2013-0774
|
||
Updated•11 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•