Closed Bug 91043 Opened 24 years ago Closed 22 years ago

document.write while another page is loading can bypass same-origin check

Categories

(Core :: Security, defect, P1)

Product:
Core
Component:
Security
Platform:
x86
Windows NT
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla1.4final

People

(Reporter: jruderman, Assigned: security-bugs)

References

Details

(Whiteboard: [PDT+])

Attachments

(4 files)

demo
917 bytes, text/html
Details
Patch - make document.write(ln) same-origin access only
841 bytes, patch
Details | Diff | Splinter Review
Patch 2 - ignore the last one.
703 bytes, patch
pavlov
: review+
dveditz
: superreview+
asa
: approval+
Details | Diff | Splinter Review
testcase showing innerHTML is working fine
985 bytes, text/html
Details
document.write is currently allAccess. If an attacker can time a document.write to fire while an HTML document from another site is loading, he can insert whatever code he wants into the other document, and Mozilla will assume that code came from the other site. Possible fixes: 1. Make document.write be sameOrigin. Web scripts will then have to explicitly call document.open if they want to write a new document in a window they don't currently own. 2. Make the document.write code check who's calling it. If the caller's principal doesn't match the target document's principal, call document.open to create a new document owned by the attacker, or deny access. I vote for 1, because it's simpler and seems less likely to lead to confusing problems. Note that IE doesn't allow access to document.write *or* document.open in another domain.
Attached file demo
document.write has code to stop this - see bug 32088, revision 3.207 in nsHTMLDocument.cpp. Why is this failing? Can this be turned into a universalXPConnect vulnerabilty in combination with bug 88087? I couldn't trigger it, but I'll try on a 133Mhz machine tomorrow.
Netscape 4 allows access to document.write across domains, but IE doesn't. So if we blocked access to document.write across domains, we would be breaking compatibility only with Netscape 4. By the way, Netscape 4 crashes if I try to test for this security hole. I guess it isn't vulnerable...
Keywords: nsBranch
r=jesse
sr=jband
Checked in on trunk. Adding vtrunk. I would like to get this onto the branch.
Status: NEW → ASSIGNED
Keywords: vtrunk
ckritzer: pls verify on trunk builds when available.
PDT+ per pdt mtg w/mstoltz
Priority: -- → P1
Whiteboard: [PDT+]
Fixed on branch.
Status: ASSIGNED → RESOLVED
Closed: 24 years ago
Resolution: --- → FIXED
Okay, this bug is VERIFIED FIXED on: Win98SE 2001-07-19-09-trunkMacOS91 2001-07-19-08-trunk LinRH62 2001-07-19-08-trunk And since Mitch checked into the branch tonight, I will verify tomorrow's branch bits when they are available.
Marking VERIFIED FIXED on: MacOS91 2001-07-20-06-0.9.2 Win98SE 2001-07-20-03-0.9.2 LinRH62 2001-07-20-04-0.9.2
Status: RESOLVED → VERIFIED
Nominating since this is a regression from Mach V.
Keywords: adt1.0.2
Group: netscapeconfidential → security
Seems to crash in layout now, after the exploit has already run.
Status: VERIFIED → REOPENED
Resolution: FIXED → ---
QA Contact: ckritzer → bsharma
CC list accessible: true
Accessible to reporter
Mitch can you say if you think this is required for Blackbird?
Yes, I think this should be required for Blackbird. It looks like I solved the problem originally by making document.open/write/writeln same-origin access only. Then, in bug 122317, I made them allAccess again, because the restriction was breaking some convoluted JS usage in a Siebel app - I had forgotten about the security implications at the time (doh). The quick, easy fix is to check in the above patch again, which simply adds a few lines to the security prefs. However, that will break the Siebel app again. Security is more important in this case, but I would at least like to explore some alternatives before we break them again. If I can't get any information before the end of the day, I'll change the prefs back.
OK, the Siebel issue has a quick workaround - we will work with Evangelism to see that they get the message. In the menatime, let's check in the above patch again. It removes the security prefs for document.write and writeln, which will make them default to sameOrigin. Can I get r/sr for removing those prefs?
We should probably get this into 1.2 as well...
Keywords: mozilla1.2
Target Milestone: --- → mozilla1.2final
Comment on attachment 42806 [details] [diff] [review] Patch 2 - ignore the last one. a=asa for checkin to the 1.2 branch (on behalf of drivers)
Attachment #42806 - Flags: approval+
adt approval for the 1.0.2 branch, please get drivers approval and check in tonight.
Blocks: blackbird
Keywords: adt1.0.2adt1.0.2+, mozilla1.0.2
Comment on attachment 42806 [details] [diff] [review] Patch 2 - ignore the last one. sr=dveditz
Attachment #42806 - Flags: superreview+
Attachment #42806 - Flags: review+
verbal a=chofmann for 1.0 branch.
Mitch checked this into the 1.0 branch earlier tonight.
Keywords: mozilla1.0.2fixed1.0.2
Verified on 2002-11-14-branch build. The crash is still happening. The crash happens after a while now but it still consistently happens. Steps to reproduce: 1. Open the demo page from the bug report. 2. Click on the first button. This will open the new window with large file, which will keep on loading. 3. Come back to the demo page and click on the next two buttons one after the other, nothing happens. 4. Go back to that large page and it is still loading. Come back to the demo page and click on the last two buttons again for couple of time. The crash will happen after 10 seconds or so. Please let me know if you need more details.
Removing fixed1.0.2 keyword to get on radar. I can reproduce what Bindu is seeing.
Keywords: fixed1.0.2
Mitch, can you please give us a test case which does not use innerHTML since that is crashing and Bindu can't verify the fix with confidence. Since the bug has been re-opened in the branch, add back the fixed1.0.2 keyword when you provide the test case. Thanks.
Does not look it is a problem with innerHTML, tested with build: 2002-11-14-09-1.0 Attaching a testcase to demonstate innerHTML is working properly. And i could not reproduce the crash.
I think the crash is a separate bug, independent of the security problem, and not a stop-ship. harishd is working on the crash and has filed a separate bug. For now, we can ignore the crash. What to look for is the alert() produced by the testcase. The testcase should not produce an alert(), but rather an exception in the JS console. If that's the case, the security bug is fixed. I'm putting this back to fixed1.0.2; please call me if you're still having trouble verifying.
Keywords: fixed1.0.2
Verified on 2002-11-14-branch build on Win2000. The demo page loads with the exception for each document.write in the JS console.
Status: REOPENED → RESOLVED
Closed: 24 years ago22 years ago
Keywords: fixed1.0.2verified1.0.2
Resolution: --- → FIXED
Group: security
This is odd... The browser security check at http://bcheck.scanit.be/bcheck/index.php is saying my copy of Mozilla 1.3 still has this vurnerability. Is it wrong?
Ben: I have 0/0/0 errors on bcheck.scanit.be while using yesterday's nightly: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.4a) Gecko/20030327 worksforme.
Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.3) Gecko/20030312 has the vulnerability according to the test at http://bcheck.scanit.be/bcheck/index.php Still there with the latest nightly build of Phoenix: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.4a) Gecko/20030409 Phoenix/0.5+
I went through the browser security test at http://bcheck.scanit.be/bcheck/index.php and it showed this bug. Using Mozilla 1.3 on Redhat 8.0
confirmed.. this security issue is present on builds as late as 2003041704
Reopening to make sure this gets re-checked.
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Or we could just wait for Godot, Lucky :)
Status: REOPENED → ASSIGNED
Target Milestone: mozilla1.2final → mozilla1.4final
Just tested on Mozilla 1.4b Mozilla/5.0 (Windows; U; WinNT4.0; en-US; rv:1.4b) Gecko/20030507 (using http://bcheck.scanit.be/bcheck) bug still present.
I don't believe this bug is still present. The document.write function is still same-origin access only, and both the original testcase attached to this bug and the scanit.be testcase come up negative for me. I can't see the source of the scanit.be test, since it doesn't stay loaded long enough to grab the source, but my guess is that the test on that site is flawed. I'm marking the bug Fixed, but I'd like to get some redundant verification. Brent or Charles, could you please try the testcase mentioned above, and the testcase attached to this bug? Johnny, do you see any suspicious behavior still occurring?
Status: ASSIGNED → RESOLVED
Closed: 22 years ago22 years ago
QA Contact: bsharma → bmartin
Resolution: --- → FIXED
I think there was a timing condition in http://bcheck.scanit.be/bcheck/ test. It might have caused false positives. Now I think I fixed it. According to my testing 1.4b is not vulnerable, neither is 1.3a, or 1.2.1. 1.1 is vulnerable. Did not test other versions. Sorry for the confusion caused by the test. Here is how I test now: win = window.open("http://otherdomain/test-moz91043bis.php"); // This window contains a document from another domain that takes // long time to load var j = setInterval("catchme()", 100); function catchme() { try { var a = win.document.title; // Test if the window is // still in our domain } catch (e) { // Window is not in our domain anymore clearInterval(j); try { win.document.write("stuffstuffstuff"); vulnerable(); } catch (e) { notvulnerable(); } } }
Sorry, i have Mozilla/5.0 (Windows; U; Windows NT 5.1; es-AR; rv:1.9.2a1pre) Gecko/20090708 Minefield/3.6a1pre and the same bug appeared in http://bcheck.scanit.be/old-bcheck/
Not sure what you're talking about. The (very) old version of the scanit.be test in the "old-bcheck" directory does have a test for this bug, but all recent versions of Mozilla browsers pass those tests.
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: