Last Comment Bug 827193 - (CVE-2013-0774) disclosure of profile directory name in JavaScript variable visible to Workers
: disclosure of profile directory name in JavaScript variable visible to Workers
: privacy, sec-moderate
Product: Core
Classification: Components
Component: DOM: Workers (show other bugs)
: unspecified
: All All
-- normal (vote)
: mozilla21
Assigned To: :Gavin Sharp [email:]
: Andrew Overholt [:overholt]
Depends on:
Blocks: 739740 827801
  Show dependency treegraph
Reported: 2013-01-06 19:23 PST by Frederik Braun [:freddyb]
Modified: 2013-11-25 13:20 PST (History)
12 users (show)
ryanvm: in‑testsuite+
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---

PoC html file (339 bytes, text/html)
2013-01-06 19:23 PST, Frederik Braun [:freddyb]
no flags Details
PoC JS file (123 bytes, application/javascript)
2013-01-06 19:24 PST, Frederik Braun [:freddyb]
no flags Details
patch (3.70 KB, patch)
2013-01-06 20:24 PST, :Gavin Sharp [email:]
khuey: review+
akeybl: approval‑mozilla‑aurora+
akeybl: approval‑mozilla‑beta+
akeybl: approval‑mozilla‑esr17+
akeybl: approval‑mozilla‑b2g18+
Details | Diff | Splinter Review

Description User image Frederik Braun [:freddyb] 2013-01-06 19:23:49 PST
Created attachment 698511 [details]
PoC html file

The variable "OS" in a Web Workers scope contains some peculiar information, among them:

OS['Constants']['Path']['profileDir'], which is the full path to the firefox profile directory, e.g. "/home/freddy/.mozilla/firefox/6efxvygfz.default". 

I know that the path name contains these random characters for security reasons. Although a quick search revealed no easy way to turn this path disclosure into a serious exploit I suppose it still poses a security risk.

If this is wrong, please uncheck the security-confidential flag.

I will attach a simple test case that explains the issue.
Comment 1 User image Frederik Braun [:freddyb] 2013-01-06 19:24:39 PST
Created attachment 698512 [details]
PoC JS file
Comment 2 User image Frederik Braun [:freddyb] 2013-01-06 19:26:22 PST
The PoC HTMl file references the JS file which as to be in the same directory. Hence, this PoC doesn't work on bugzilla but has to be downloaded.
Comment 3 User image :Gavin Sharp [email:] 2013-01-06 19:57:50 PST
This seems to have been introduced by

"fix build warnings"? o_O
Comment 4 User image :Gavin Sharp [email:] 2013-01-06 20:01:16 PST
Sorry, I misread that. just put the parenthesis at the wrong place.
Comment 5 User image :Gavin Sharp [email:] 2013-01-06 20:24:19 PST
Created attachment 698518 [details] [diff] [review]
Comment 6 User image :Gavin Sharp [email:] 2013-01-07 14:09:01 PST
Comment 7 User image :Gavin Sharp [email:] 2013-01-07 15:07:24 PST
Comment on attachment 698518 [details] [diff] [review]

[Approval Request Comment]
Bug caused by (feature/regressing bug #): present since introduction of the feature in Firefox 15 (bug 739740)
User impact if declined: privacy leak, potential security risk if combined with other bugs
Testing completed (on m-c, etc.): none
Risk to taking this patch (and alternatives if risky): it's a simple change of logic to match what was originally intended, very low risk
String or UUID changes made by this patch: none
Comment 8 User image :Gavin Sharp [email:] 2013-01-07 15:09:09 PST
Comment on attachment 698518 [details] [diff] [review]

[Approval Request Comment]
If this is not a sec:{high,crit} bug, please state case for ESR consideration: I think the privacy impact/risk ratio is high enough that this merits landing on ESR for the next release as well.

See comment 7 for the rest of the risk analysis.
Comment 9 User image :Gavin Sharp [email:] 2013-01-07 15:09:55 PST
Comment on attachment 698518 [details] [diff] [review]

This impacts b2g as well, but I'm not confident about what the current b2g18 policy is.
Comment 10 User image Alex Keybl [:akeybl] 2013-01-07 15:41:59 PST
Comment on attachment 698518 [details] [diff] [review]

Let's wait until after 1/15 to land on B2G's branch.
Comment 12 User image Ed Morley [:emorley] 2013-01-08 04:44:37 PST
Comment 13 User image Lukas Blakk [:lsblakk] use ?needinfo 2013-01-22 12:38:21 PST
Still waiting to take patches for 1.0.1 as per we'll be opening mozilla-b2g18 up for landings after 1/25 so leaving the nomination.
Comment 14 User image Alex Keybl [:akeybl] 2013-01-31 16:59:09 PST
Comment on attachment 698518 [details] [diff] [review]

This can now be landed mozilla-b2g18, which is currently v1.0.1.
Comment 15 User image Ryan VanderMeulen [:RyanVM] 2013-02-01 06:42:40 PST

Note You need to log in before you can comment on or make changes to this bug.