Closed
Bug 868327
(CVE-2013-5593)
Opened 12 years ago
Closed 11 years ago
Mozilla Firefox Navigation away from a page with an active <select> dropdown menu can be used for URL/SSL spoofing and ClickJacking Attacks
Categories
(Core :: Layout, defect)
Tracking
()
VERIFIED
FIXED
mozilla25
Tracking | Status | |
---|---|---|
firefox25 | --- | verified |
firefox-esr17 | --- | wontfix |
firefox-esr24 | 25+ | verified |
b2g18 | --- | unaffected |
People
(Reporter: jordi.chancel, Assigned: MatsPalmgren_bugz)
References
Details
(Keywords: csectype-clickjacking, reporter-external, sec-moderate, Whiteboard: [adv-main25+][adv-esr24-1+])
Attachments
(1 file, 1 obsolete file)
1.75 KB,
patch
|
roc
:
review+
bajaj
:
approval-mozilla-esr24+
|
Details | Diff | Splinter Review |
User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:20.0) Gecko/20100101 Firefox/20.0 Build ID: 20130409194949 Steps to reproduce: SELECT / OPTION elements may contain html contents and surpass the location bar and the box geolocation (for exemple), it is possible with these elements to make multiple attacks like SSL URL Spoofing and Clickjacking Actual results: The Location Bar and the SSL indicia are spoofed and the geolocation authorization can be bypassed. Expected results: Select/Option element surpass all other element ( location bar / geolocation box ...)
Reporter | ||
Updated•12 years ago
|
Reporter | ||
Comment 1•12 years ago
|
||
Video (not listed) of the proof of concept => https://www.youtube.com/watch?v=tF5LTfQhSzw
Updated•12 years ago
|
Component: General → Security
Flags: sec-bounty?
Updated•12 years ago
|
Flags: needinfo?(mwobensmith)
Comment 2•12 years ago
|
||
Confirmed. What I see: - On screen resolution 1440x900, double-clicking the link causes the geolocation access dialog to appear only briefly; user has opted into sharing geolocation without knowingly clicking the confirmation, as indicated by the geolocation icon in the URL bar. - On screen resolution 1055x722 (virtualized system), double-clicking the link causes the PNG to overlay the browser chrome above the location bar.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Flags: needinfo?(mwobensmith)
Reporter | ||
Comment 3•12 years ago
|
||
what is the severity of this vulnerability?
Updated•12 years ago
|
Flags: needinfo?(dveditz)
Updated•12 years ago
|
Attachment #745055 -
Attachment mime type: application/octet-stream → application/java-archive
Comment 4•12 years ago
|
||
Any updates here, Dan?
Comment 5•12 years ago
|
||
The geolocation clickjacking is a duplicate. Floating the image over the URL bar is a good trick but a visual spoof like that is sec-moderate at best. (Getting real but incorrect text into the actual location bar is what's required for sec-high.)
Assignee | ||
Comment 6•11 years ago
|
||
This should fix the problem with the drop-down menu overlapping the URL bar. A double-click can likely still be used to overlap any UI that hangs down over the content area like the geolocation prompt. With this patch the drop-down in the test is opened below the combobox (out-of-view) but this shouldn't be a problem for normal pages since this an edge case where the drop-down has already been resized to show only one option and that option is to big to fit on either side -- before this patch we chose the side with the most room and if that was above then it could overlap UI; with this patch we always choose to open it below for this edge case. BTW, the combobox double-click trick only works on Windows afaict; on Linux and OSX the drop-down menu is closed after the double-click. Not sure why there's a difference.
Assignee: nobody → matspal
Attachment #780663 -
Flags: review?(roc)
Attachment #780663 -
Flags: review?(roc) → review+
Assignee | ||
Comment 7•11 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/2e27eaf8ebc2
Flags: in-testsuite?
Comment 8•11 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/2e27eaf8ebc2
Status: NEW → RESOLVED
Closed: 11 years ago
status-firefox25:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla25
Assignee | ||
Comment 9•11 years ago
|
||
Filed bug 898035 on the combobox drop-down menu covering a door-hanger.
Reporter | ||
Comment 10•11 years ago
|
||
where download firefox with the fix of this vulnerability? I would test it !
Assignee | ||
Comment 11•11 years ago
|
||
Here are the Nightly builds: http://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/latest-mozilla-central/ load about:buildconfig and click on the "Built from" link to see changeset it was built from. If the number is greater than the mozilla-central changeset number above (139940) then it contains the fix.
Reporter | ||
Comment 12•11 years ago
|
||
Yes ! Good jobs !!! RESOLVED FIXED ;)
Updated•11 years ago
|
Flags: sec-bounty? → sec-bounty+
Comment 14•11 years ago
|
||
Verified fixed FF25 2013-08-29.
Updated•11 years ago
|
Comment 15•11 years ago
|
||
Given the tiny patch and low risk we should just take this on ESR24
status-b2g18:
--- → unaffected
status-firefox-esr17:
--- → wontfix
status-firefox-esr24:
--- → affected
tracking-firefox-esr24:
--- → 25+
Updated•11 years ago
|
Flags: needinfo?(matspal)
Assignee | ||
Comment 17•11 years ago
|
||
Comment on attachment 780663 [details] [diff] [review] fix This patch applies cleanly to ESR24.
Attachment #780663 -
Flags: approval-mozilla-esr24?
Updated•11 years ago
|
Attachment #780663 -
Flags: approval-mozilla-esr24? → approval-mozilla-esr24+
Assignee | ||
Comment 18•11 years ago
|
||
https://hg.mozilla.org/releases/mozilla-esr24/rev/00bb6aeae85f
Flags: needinfo?(matspal)
Updated•11 years ago
|
Whiteboard: [adv-main25+] → [adv-main25+][adv-esr24-1+]
Updated•11 years ago
|
Alias: CVE-2013-5593
Updated•10 years ago
|
Group: core-security
Reporter | ||
Updated•9 years ago
|
Reporter | ||
Updated•9 years ago
|
Attachment #745055 -
Attachment is obsolete: true
Updated•4 months ago
|
Keywords: reporter-external
Updated•3 months ago
|
Keywords: csectype-spoof → csectype-clickjacking
You need to log in
before you can comment on or make changes to this bug.
Description
•