Closed
Bug 892429
Opened 12 years ago
Closed 12 years ago
(web version) pdf.js DOM based XSS
Categories
(Firefox :: PDF Viewer, defect)
Tracking
()
RESOLVED
FIXED
| Tracking | Status | |
|---|---|---|
| firefox-esr17 | --- | unaffected |
| firefox-esr24 | --- | unaffected |
| b2g18 | --- | unaffected |
| b2g-v1.1hd | --- | unaffected |
| b2g-v1.2 | --- | unaffected |
People
(Reporter: krutarth.ce, Assigned: bdahl)
Details
(Keywords: reporter-external, sec-other, wsec-xss, Whiteboard: [reporter-external] sec-high for sites deploying the affected version)
Attachments
(1 file)
|
569.41 KB,
image/png
|
Details |
xss.png
User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:19.0) Gecko/20100101 Firefox/19.0 (Beta/Release)
Build ID: 20130215130331
Steps to reproduce:
Hello,
pdf.js is vulnerable to DOM based xss,
Parameter: file
Payload: javascript:alert(document.domain)//
P.O.C:
http://mozilla.github.io/pdf.js/web/viewer.html?file=javascript:alert%28document.domain%29//
Really sorry for testing it on github.
Actual results:
script is injected into DOM.
Expected results:
file parameter is not sanitized properly, It looks like colon (:) is not filtered.
|
||
Updated•12 years ago
|
Whiteboard: [reporter-external]
|
||
Updated•12 years ago
|
Component: Plug-ins → PDF Viewer
Product: Core → Firefox
|
|
Assignee | |
Comment 1•12 years ago
|
||
I am unable to reproduce and I don't see how this could happen. Can you try with a clean profile?
|
|
Assignee | |
Comment 2•12 years ago
|
||
I see, you have to click the download button. Luckily this doesn't affect the built in viewer or add-on.
Hi Brendan,
Yes we have to click on download button,
Try this steps to reproduce:
Go to
http://mozilla.github.io/pdf.js/web/viewer.html?file=javascript:alert(0)
now start firebug console,
click on download button in upper right corner, in error section of console, we will get following message:
SyntaxError: illegal character
[Break On This Error]
alert(document.domain)#pdfjs.action=download
as in <a> tag won't parse anything after #.
now let's try adding // after javascript:alert(0) as it will comment all content.
as following:
http://mozilla.github.io/pdf.js/web/viewer.html?file=javascript:alert(0)//
now click on download button, script will be executed,
Vulnerable function in viewer.js (http://mozilla.github.io/pdf.js/web/viewer.js)
now go to viewer.js
if we look at source of js file, we will get vuneralbe source & sink function,
function pdfViewDownload() is source & function noData() is sink,
look in noData() function, it adding #pdfjs.action=download at end of url as below:
function noData() {
triggerSaveAs(url + '#pdfjs.action=download');
}
that's why we need to add comment at end like javascript:alert(0)//
|
||
Comment 4•12 years ago
|
||
Krutarth, just to be clear: it's not an issue with pdf.js extension or Firefox's PDF Viewer, it's an issue only with web version of pdf.js hosted at mozilla.github.io ?
Hi yuri,
All web version of pdf.js are affected, not only on mozilla.github.io,
actually, I was trying to find vulnerabilities in dropbox.com under there responsible disclosure policy, I was just analyzing the source, I found that some pdf library is used by them, so I got this vulnerability in there, (they have modified viewer.js (mini version)), In source of viewer.html, I found that pdf.js extension is developed by mozilla & being actively used, (before that I wasn't aware that it's used in mozilla), I have reported vulnerability to dropbox, they fixed it immediately, then after I have started looking for pdf.js in github, I found that same vulnerability exists in pdf.js, even if you look in github repository of mozilla, (https://github.com/mozilla/pdf.js/blob/master/web/viewer.js)
you will found that same vulnerability exists (check source & sink function as I mentioned in previous comment)
|
|
||
Comment 6•12 years ago
|
||
The code you are referring to is not present in the Firefox's viewer.js http://mxr.mozilla.org/mozilla-central/source/browser/extensions/pdfjs/content/web/viewer.js#1557 or pdf.js addon https://addons.mozilla.org/en-US/firefox/files/browse/201180/file/content/web/viewer.js#L1067 . So we are okay here.
We will be fixing it for the customizable web page viewer.
Hi Yury,
Is there demo link present for above pdf.js extension you provided ?
& Is it old version that hosted on github ?
|
|
||
Comment 8•12 years ago
|
||
> Is there demo link present for above pdf.js extension you provided ?
Production version of PDF.js extension at https://addons.mozilla.org/en-US/firefox/addon/pdfjs/ and developer's version at http://mzl.la/pdf-xpi
> Is it old version that hosted on github ?
It's not old, it's a little bit different. http://mozilla.github.io/pdf.js/web/viewer.html is a live demo of the PDF.js, and has a different codebase from the extension version.
Some people/companies a taking as a baseline for their online viewer without change. We will fix the web version of the viewer to set a good example.
|
|
Assignee | |
Comment 10•12 years ago
|
||
|
|
Assignee | |
Comment 11•12 years ago
|
||
This isn't an issue for Firefox can we remove the security sensitive flag?
|
|
Reporter | |
Comment 12•12 years ago
|
||
no benefit of reporting security vulnerabilities, anyway open redirect is still present...
|
||
Comment 13•12 years ago
|
||
(In reply to Krutarth from comment #9)
> Okay, so is this bug would be eligible for bounty?
Tricky question. Probably not but since you've asked I'll run it up the flagpole at the next bounty committee meeting. If this bug existed in the Firefox version then it would clearly fall under the scope of the client security bug bounty. This is not a problem on any of our sites covered by the web security bug bounty so that program doesn't cover it either.
(In reply to Brendan Dahl from comment #10)
> Fixed in https://github.com/mozilla/pdf.js/pull/3467
Can this bug be RESOLVED FIXED then, or is there something else to do?
I didn't realize people were deploying this code on various websites. I don't know if we've actually "released" this software but we should announce the vulnerability in some way. It'd be nice if we could direct an advisory at the people deploying it but we probably don't know who they are. Second best might be to let the security community know so web scanning projects can test for this.
Assignee: nobody → bdahl
Status: UNCONFIRMED → NEW
Ever confirmed: true
Flags: sec-bounty?
Flags: needinfo?(bdahl)
Summary: pdf.js DOM based XSS → (web version) pdf.js DOM based XSS
Whiteboard: [reporter-external] → [reporter-external] sec-high for sites deploying the affected version
|
|
Reporter | |
Comment 14•12 years ago
|
||
Hello, any update on this ?
|
|
Assignee | |
Comment 15•12 years ago
|
||
(In reply to Daniel Veditz [:dveditz] from comment #13)
> I didn't realize people were deploying this code on various websites. I
> don't know if we've actually "released" this software but we should announce
> the vulnerability in some way. It'd be nice if we could direct an advisory
> at the people deploying it but we probably don't know who they are. Second
> best might be to let the security community know so web scanning projects
> can test for this.
I've sent out an email to the pdf.js dev mailing list.
Status: NEW → RESOLVED
Closed: 12 years ago
Flags: needinfo?(bdahl)
Resolution: --- → FIXED
|
|
||
Comment 16•12 years ago
|
||
We've decided this bug does not qualify for the security bug bounty because it is not present in the version of pdf.js that is shipped with Firefox.
Flags: sec-bounty? → sec-bounty-
|
||
Updated•12 years ago
|
status-firefox-esr17:
--- → unaffected
status-firefox-esr24:
--- → unaffected
|
|
||
Updated•11 years ago
|
status-b2g18:
--- → unaffected
status-b2g-v1.1hd:
--- → unaffected
status-b2g-v1.2:
--- → unaffected
|
||
Updated•10 years ago
|
Group: core-security → core-security-release
|
|
||
Updated•9 years ago
|
Group: core-security-release
|
||
Updated•1 year ago
|
Keywords: reporter-external
You need to log in
before you can comment on or make changes to this bug.
Description
•