Last Comment Bug 868327 - (CVE-2013-5593) Mozilla Firefox Navigation away from a page with an active <select> dropdown menu can be used for URL/SSL spoofing and ClickJacking Attacks
(CVE-2013-5593)
: Mozilla Firefox Navigation away from a page with an active <select> dropdown ...
Status: VERIFIED FIXED
[adv-main25+][adv-esr24-1+]
: csectype-spoof, sec-moderate
Product: Core
Classification: Components
Component: Layout (show other bugs)
: 20 Branch
: x86_64 Windows 7
: -- normal (vote)
: mozilla25
Assigned To: Mats Palmgren (:mats)
:
: Jet Villegas (:jet)
Mentors:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2013-05-03 01:28 PDT by Jordi Chancel
Modified: 2016-03-29 12:52 PDT (History)
9 users (show)
dchanm+bugzilla: sec‑bounty+
mats: in‑testsuite?
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---
verified
wontfix
25+
verified
unaffected


Attachments
SSL-URL-SPOOF-AND-GEOLOCATION-CLICKJACKING.zip (9.67 KB, application/java-archive)
2013-05-03 01:28 PDT, Jordi Chancel
no flags Details
fix (1.75 KB, patch)
2013-07-24 15:59 PDT, Mats Palmgren (:mats)
roc: review+
bajaj.bhavana: approval‑mozilla‑esr24+
Details | Diff | Splinter Review

Description Jordi Chancel 2013-05-03 01:28:10 PDT
Created attachment 745055 [details]
SSL-URL-SPOOF-AND-GEOLOCATION-CLICKJACKING.zip

User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:20.0) Gecko/20100101 Firefox/20.0
Build ID: 20130409194949

Steps to reproduce:

SELECT / OPTION elements  may contain html contents and surpass the location bar and the box geolocation (for exemple), it is possible with these elements to make multiple attacks like SSL URL Spoofing and Clickjacking


Actual results:

The Location Bar and the SSL indicia are spoofed and the geolocation authorization can be bypassed.


Expected results:

Select/Option element surpass all other element ( location bar / geolocation box ...)
Comment 1 Jordi Chancel 2013-05-03 01:31:07 PDT
Video (not listed) of the proof of concept => https://www.youtube.com/watch?v=tF5LTfQhSzw
Comment 2 Matt Wobensmith [:mwobensmith][:matt:] 2013-05-10 15:51:56 PDT
Confirmed. What I see:

- On screen resolution 1440x900, double-clicking the link causes the geolocation access dialog to appear only briefly; user has opted into sharing geolocation without knowingly clicking the confirmation, as indicated by the geolocation icon in the URL bar.

- On screen resolution 1055x722 (virtualized system), double-clicking the link causes the PNG to overlay the browser chrome above the location bar.
Comment 3 Jordi Chancel 2013-05-14 13:34:01 PDT
what is the severity of this vulnerability?
Comment 4 Andrew McCreight [:mccr8] 2013-05-22 10:11:58 PDT
Any updates here, Dan?
Comment 5 Daniel Veditz [:dveditz] 2013-05-22 10:20:58 PDT
The geolocation clickjacking is a duplicate. Floating the image over the URL bar is a good trick but a visual spoof like that is sec-moderate at best. (Getting real but incorrect text into the actual location bar is what's required for sec-high.)
Comment 6 Mats Palmgren (:mats) 2013-07-24 15:59:04 PDT
Created attachment 780663 [details] [diff] [review]
fix

This should fix the problem with the drop-down menu overlapping the
URL bar.  A double-click can likely still be used to overlap any UI
that hangs down over the content area like the geolocation prompt.

With this patch the drop-down in the test is opened below the combobox
(out-of-view) but this shouldn't be a problem for normal pages since
this an edge case where the drop-down has already been resized to show
only one option and that option is to big to fit on either side --
before this patch we chose the side with the most room and if that was
above then it could overlap UI; with this patch we always choose to
open it below for this edge case.

BTW, the combobox double-click trick only works on Windows afaict;
on Linux and OSX the drop-down menu is closed after the double-click.
Not sure why there's a difference.
Comment 8 Ed Morley [:emorley] 2013-07-25 08:51:59 PDT
https://hg.mozilla.org/mozilla-central/rev/2e27eaf8ebc2
Comment 9 Mats Palmgren (:mats) 2013-07-25 10:18:00 PDT
Filed bug 898035 on the combobox drop-down menu covering a door-hanger.
Comment 10 Jordi Chancel 2013-07-26 04:34:27 PDT
where download firefox with the fix of this vulnerability?
I would test it !
Comment 11 Mats Palmgren (:mats) 2013-07-26 08:13:02 PDT
Here are the Nightly builds:
http://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/latest-mozilla-central/

load about:buildconfig and click on the "Built from" link to see changeset
it was built from.  If the number is greater than the mozilla-central
changeset number above (139940) then it contains the fix.
Comment 12 Jordi Chancel 2013-07-26 09:37:16 PDT
Yes ! Good jobs !!! RESOLVED FIXED ;)
Comment 14 Matt Wobensmith [:mwobensmith][:matt:] 2013-08-29 14:36:47 PDT
Verified fixed FF25 2013-08-29.
Comment 15 Daniel Veditz [:dveditz] 2013-10-11 15:27:19 PDT
Given the tiny patch and low risk we should just take this on ESR24
Comment 16 Al Billings [:abillings] 2013-10-15 15:24:56 PDT
Mats, can I get an ESR24 patch please?
Comment 17 Mats Palmgren (:mats) 2013-10-15 16:12:50 PDT
Comment on attachment 780663 [details] [diff] [review]
fix

This patch applies cleanly to ESR24.
Comment 19 Matt Wobensmith [:mwobensmith][:matt:] 2013-10-16 14:56:09 PDT
Verified fixed 24esr, 2013-10-16.

Note You need to log in before you can comment on or make changes to this bug.