Closed
Bug 262887
(SA12712)
Opened 20 years ago
Closed 20 years ago
Secunia background tab security issues (SA12712 - less critical) -
Categories
(SeaMonkey :: Tabbed Browser, defect)
SeaMonkey
Tabbed Browser
Tracking
(Not tracked)
VERIFIED
FIXED
People
(Reporter: dveditz, Assigned: bryner)
References
(Depends on 1 open bug, )
Details
(4 keywords, Whiteboard: http://secunia.com/advisories/12712/ have patch - need to land)
Attachments
(9 files, 1 obsolete file)
(deleted),
text/html
|
Details | |
(deleted),
text/html
|
Details | |
(deleted),
text/html
|
Details | |
(deleted),
patch
|
bugs
:
review+
bryner
:
superreview+
chofmann
:
approval-aviary+
|
Details | Diff | Splinter Review |
(deleted),
patch
|
Details | Diff | Splinter Review | |
(deleted),
patch
|
mkaply
:
approval1.7.5+
|
Details | Diff | Splinter Review |
(deleted),
text/html
|
Details | |
(deleted),
patch
|
bugs4hj
:
review+
dveditz
:
superreview+
asa
:
approval-aviary1.0.1+
dveditz
:
approval1.7.6+
asa
:
approval1.8a6+
|
Details | Diff | Splinter Review |
(deleted),
patch
|
jst
:
review+
|
Details | Diff | Splinter Review |
Jakob Balle of Secunia writes us with a collection of vulnerabilities related to
background tabs. Assigning to Bryner who recently fixed bug 124750, which
appears to fix (or hide?) the input stealing variant described here. The Secunia
link in the URL field will be blank until October 20, 2004
The dialog-on-background-tab issues sound dupe-ish to me.
I confirm all three symptoms in both Firefox 1.0PR and Mozilla 1.7.3, and that
the input-stealing one appears fixed in today's Firefox build.
By "minimized" tab I'm pretty sure Jakob means "background"; that's how I tested.
- - - - - -
Hello,
I have found 3 vulnerabilities in the way Mozilla and Mozilla Firefox
handles tabbed browsing.
The vulnerabilities have been confirmed in:
- Mozilla Firefox 0.10.1 on Linux
- Mozilla 1.7.3 on Linux
1)
It is possible for a "minimised" tab to always gain focus on a form
field in the "minimised" tab, even if the user is browsing a completely
different website in another tab.
This is escalated a bit by the fact that most people do not look at the
monitor while typing data into a form field, and therefore might send
data to the site in the "minimised" tab, instead of the intended/viewed
tab.
Demonstration Description:
1. Open a new blank tab, and load the example file called
"input_field_stealer.html"
2. Open the displayed link in a new tab and make sure you are viewing
the new tab.
3. Try to enter data in e.g. any form field on the newly opened tab, or
try to enter data in the address bar.
4. Everything you enter will be listed in the "textarea" in the tab
opened in step 1.
Demonstration File:
input_field_stealer.html
2)
It is possible for a "minimised" tab to spawn a JavaScript "Prompt"
dialog box, which looks to be originating from the currently viewed tab.
It is not possible for the user to see which web-site actually launched
the prompt box, and therefore the user could be be lead to believe that
it is a genuine prompt box coming from e.g. their bank's web-site.
Demonstration Description:
1. Open a new blank tab, og load the example file called
"javascript_prompt_box.html"
2. Open the displayed link in a new tab and make sure you are viewing
the new tab.
3. Wait about 6 seconds and a JavaScript prompt dialog box will be
launched.
4. Everything you enter will be listed in the "textarea" in the tab
opened in step 1.
Demonstration File:
javascript_prompt_box.html
3)
It is possible for a "minimised" tab to spawn a download dialog box,
which looks to be originating from the currently viewed tab.
This could be exploited to trick the user into downloading and running a
harmful program.
Demonstration Description:
1. Open a new blank tab, og load the example file called
"download_box.html"
2. Open the displayed link in a new tab and make sure you are viewing
the new tab.
3. Wait about 6 seconds and a download dialog box will be launched.
NOTE:
This demonstration requests a web page located at Secunia, the only
thing this page does is to send the following:
Content-Type: application/octet
Content-Disposition: attachment; filename="Latest Citibank Netbank
Version.exe"
...
Demonstration File:
download_box.html
We have reserved SA12712 for these vulnerabilities and are currently
planning to issue the information at 20/10/2004.
Let me know if there is anything I may be able to help with.
Jakob Balle, Secunia
Reporter | ||
Comment 1•20 years ago
|
||
Reporter | ||
Comment 2•20 years ago
|
||
Reporter | ||
Comment 3•20 years ago
|
||
Comment 4•20 years ago
|
||
The problems with dialogs have been discussed in bug 123913, bug 123908, and bug
121209.
Reporter | ||
Updated•20 years ago
|
Reporter | ||
Updated•20 years ago
|
Flags: blocking1.7.x?
Flags: blocking-aviary1.0?
Comment 5•20 years ago
|
||
think we can get this for 1.0?
Flags: blocking-aviary1.0? → blocking-aviary1.0+
Comment 6•20 years ago
|
||
I'm going to guess no. From what I've been told we have the focus stealing but
but there's no way we can get the per-tab-modality to work before 1.0.
Flags: blocking-aviary1.0+ → blocking-aviary1.0-
Comment 7•20 years ago
|
||
If we can't have per-tab modality for 1.0, how about automatically selecting the
tab before displaying the dialog?
Reporter | ||
Comment 8•20 years ago
|
||
Or including the site name in the dialog title, instead of generic things like
[Javascript Application]?
Reporter | ||
Comment 9•20 years ago
|
||
Removing confidential flag: Secunia published their advisory today, embargo lifted.
Whiteboard: http://secunia.com/advisories/12712/
Reporter | ||
Updated•20 years ago
|
Alias: SA12712
Reporter | ||
Comment 10•20 years ago
|
||
*** Bug 265266 has been marked as a duplicate of this bug. ***
Reporter | ||
Updated•20 years ago
|
Group: security
Reporter | ||
Comment 11•20 years ago
|
||
*** Bug 265267 has been marked as a duplicate of this bug. ***
Reporter | ||
Updated•20 years ago
|
Summary: Secunia background tab security issues → Secunia background tab security issues (SA12712)
Comment 12•20 years ago
|
||
I thing that some solution to this bug SHOULD be found before version 1.0 for
marketing reasons otherwise it is easy to imagine, that this can be used AGAINST
mozillafirefox. Imagine articles like: "List of security holes in the first
release of FIreFox" etc. With a little imagination it would not be hard to
write an article which could put uninformed audience to doubt about qualities of FF.
Surely it need not to be the most clean solution, but it should work even if it
causes some annoyance [like automatically selecting the tab before displaying
the dialog] and it could be switched off.
Comment 13•20 years ago
|
||
This makes alert/prompt/confirm make the tab in which they're called the
current tab while the modal dialog is open. Fixes the prompt and related
problems, but doesn't fix the download dialog problem.
Updated•20 years ago
|
Attachment #163615 -
Flags: superreview?(bryner)
Attachment #163615 -
Flags: review?(dveditz)
Comment 14•20 years ago
|
||
if this looks safe we should consider for 1.0. putting back on the radar.
Flags: blocking-aviary1.0- → blocking-aviary1.0+
Comment 15•20 years ago
|
||
*** Bug 266357 has been marked as a duplicate of this bug. ***
Comment 16•20 years ago
|
||
update to patch coming... think we will leave the user at the tab assoicated
with the alert.
Comment 17•20 years ago
|
||
This makes us do what we discussed yesteday at the aviary meeting, in stead of
switching back to the tab where the user was when the before the modal dialog
opened, we'll just remain on the tab that opened the modal dialog after the
user dismisses the dialog. This also makes the tab switching more correct.
Attachment #163615 -
Attachment is obsolete: true
Updated•20 years ago
|
Attachment #163896 -
Flags: superreview?(bryner)
Attachment #163896 -
Flags: review?(bugs)
Updated•20 years ago
|
Attachment #163615 -
Flags: superreview?(bryner)
Attachment #163615 -
Flags: review?(dveditz)
Comment 18•20 years ago
|
||
Comment on attachment 163896 [details] [diff] [review]
Updated diff, stay at the opening tab when the modal dialog is dismissed.
r=ben@mozilla.org
Attachment #163896 -
Flags: review?(bugs) → review+
Assignee | ||
Updated•20 years ago
|
Attachment #163896 -
Flags: superreview?(bryner) → superreview+
Updated•20 years ago
|
Attachment #163896 -
Flags: approval-aviary?
Comment 19•20 years ago
|
||
Any chance of making the browser/tabbrowser changes to xpfe as well?
Comment 20•20 years ago
|
||
Yeah, I'll make the changes for 1.7 as well once I get to catch my breath...
Reporter | ||
Comment 21•20 years ago
|
||
Comment on attachment 163896 [details] [diff] [review]
Updated diff, stay at the opening tab when the modal dialog is dismissed.
Sorry for being so slow, I had trouble applying this to my tree (my fault) and
it took a while to get it working.
This is not only an aviary patch, but firefox-only. Will need additional
patching in xpfe for the trunk and 1.7 branches (1.7 because we'll be releasing
that after ff-final and need to be able to say this is fixed there, too).
>Index: browser/base/content/browser.js
>+ if (getBrowser().isHandlingModalDialog) {
>+ gURLBar.value = location;
>+ SetPageProxyState("valid", aLocation);
>+ } else {
Won't this also need the hack for 249322? Add a redundant
gURLBar.value = ""; // hack for bug 249322
line before setting the location. In accordance with Neil's comments, you can
simplify my earlier patch as long as you're here (I did on the trunk)
>+ setTimeout(function(loc, aloc) {
>+ gURLBar.value = ""; // hack for bug 249322
>+ gURLBar.value = loc;
>+ SetPageProxyState("valid", aloc);
>+ }, 0, location, aLocation);
r=dveditz fwiw, but I think you need the 249322 hack
Comment 22•20 years ago
|
||
(In reply to comment #21)
> >Index: browser/base/content/browser.js
> >+ if (getBrowser().isHandlingModalDialog) {
> >+ gURLBar.value = location;
> >+ SetPageProxyState("valid", aLocation);
> >+ } else {
>
> Won't this also need the hack for 249322? Add a redundant
> gURLBar.value = ""; // hack for bug 249322
> line before setting the location.
I don't *think* I need that here as the location being set in all the cases
where isHandlingModalSialog (forceSyncURLBarUpdate in the latest diff, and this
property and check should ideally go away too as there doesn't seem to be a real
need to set the value of the URL bar off of a timer) is true we're setting the
location to a value that has already gone through our fixup code etc. I'll add
that code just to be on the safe side tho...
> In accordance with Neil's comments, you can
> simplify my earlier patch as long as you're here (I did on the trunk)
Done.
Thanks for the feedback!
Comment 23•20 years ago
|
||
Comment on attachment 163896 [details] [diff] [review]
Updated diff, stay at the opening tab when the modal dialog is dismissed.
a=chofmann for the branches
Attachment #163896 -
Flags: approval-aviary? → approval-aviary+
Comment 25•20 years ago
|
||
Comment 26•20 years ago
|
||
Comment on attachment 163896 [details] [diff] [review]
Updated diff, stay at the opening tab when the modal dialog is dismissed.
OK, so what happens if you load attachment 161075 [details] in a frame?
Comment 27•20 years ago
|
||
Updated•20 years ago
|
Attachment #164295 -
Flags: approval1.7.x?
Comment 28•20 years ago
|
||
Comment on attachment 164295 [details] [diff] [review]
1.7 branch diff.
bleah. It's a security bug, we need it.
Attachment #164295 -
Flags: approval1.7.x? → approval1.7.x-
Updated•20 years ago
|
Attachment #164295 -
Flags: approval1.7.x- → approval1.7.x+
Comment 29•20 years ago
|
||
Fix for the modal DOM dialog problem landed on the trunk and 1.7 branch too.
Comment 30•20 years ago
|
||
This one doesn't trigger the tab switch (yet!)
Comment 31•20 years ago
|
||
Secunia has updated it's advisory and marked issues fixed in Firefox 1.0 now
(Secunia's page updated on 9th November):
"Mozilla Firefox:
Update to version 1.0."
http://secunia.com/advisories/12712/
Reporter | ||
Comment 32•20 years ago
|
||
Note that we have only partially fixed the "download box" case. As given the
download box example also uses the flaw from "javascript prompt box" so it may
appear fixed, but you could still use *just* the download prompt. A spoof would
be --much-- less convincing without the initial prompt, but it might still be
possible to fool some people with a descriptive enough file name.
Comment 33•20 years ago
|
||
Hi guys,
when i tried testing the input stealing functionality, everything worked
fine.. but I guess it needs more work. I tested
http://secunia.com/multiple_browsers_form_field_focus_test/ and switched off
"Begin finding when you are typing" and for some reason, the Input stealing
issue is still pending.
Is it fixed yet? I am using version 1.0
Arun
(In reply to comment #31)
> Secunia has updated it's advisory and marked issues fixed in Firefox 1.0 now
> (Secunia's page updated on 9th November):
>
> "Mozilla Firefox:
> Update to version 1.0."
>
> http://secunia.com/advisories/12712/
Comment 34•20 years ago
|
||
*** Bug 272877 has been marked as a duplicate of this bug. ***
Comment 35•20 years ago
|
||
Secunia.com advisory was updated again today, it's now containing text "Firefox
is still affected by a variant of the first vulnerability. Added 'Firefox 1.x'
as vulnerable." (Company's statistics page for Mozilla Firefox 1.x contains now
one 'Partial Fix' advisory.) Like mentioned in comment #32, it's fixed only
partially.
Comment 36•20 years ago
|
||
(In reply to comment #30)
> Created an attachment (id=164571) [edit]
> More advanced version of attachment 161075 [details] [edit]
>
> This one doesn't trigger the tab switch (yet!)
That's because of that frame I guess?
Do we need some additional JS code in tabbrowser.xml to match the tab, or will
someone change the C source for this?
Comment 37•20 years ago
|
||
Easy fix for attachment 164571 [details] ;)
- if (browsers[i].contentWindow == event.target) {
+ if (browsers[i].contentWindow == event.target.top) {
Comment 38•20 years ago
|
||
What about setting a new attribute on the target tab in 'DOMWillOpenModalDialog'
because that will enable additional styling for themes. I did something similar
already for MultiZilla (see also:
http://bugzilla.mozdev.org/attachment.cgi?id=2465&action=view)
Comment 39•20 years ago
|
||
Attachment #168913 -
Flags: superreview?(dveditz)
Attachment #168913 -
Flags: review?(caillon)
Attachment #168913 -
Flags: approval1.7.5?
Comment 40•20 years ago
|
||
Comment on attachment 168913 [details] [diff] [review]
Fix for the more advanced version of the dialog spoof
This diff is good for aviary and 1.7.5 and trunk, but the xpfe changes don't
apply on the aviary branch, but that's ok as that version if tabbrowser.xml is
not used there at all.
Updated•20 years ago
|
Attachment #168913 -
Flags: approval1.7.5? → approval1.7.6?
Comment 41•20 years ago
|
||
(In reply to comment #37)
> Easy fix for attachment 164571 [details] [edit] ;)
>
> - if (browsers[i].contentWindow == event.target) {
> + if (browsers[i].contentWindow == event.target.top) {
HJ, I meant to say here before attaching my diff that this is the right fix, but
it needs to ensure that it gets the real 'top', not a user-defined property
named 'top'. My patch takes care of that too.
As for new attributes etc, that'd be cool (not that I'm one to decide that), but
that should be a separate bug.
Comment 42•20 years ago
|
||
(In reply to comment #41)
> (In reply to comment #37)
> > Easy fix for attachment 164571 [details] [edit] [edit] ;)
> >
> > - if (browsers[i].contentWindow == event.target) {
> > + if (browsers[i].contentWindow == event.target.top) {
>
> HJ, I meant to say here before attaching my diff that this is the right fix, but
> it needs to ensure that it gets the real 'top', not a user-defined property
> named 'top'. My patch takes care of that too.
No problem, and I am fully aware of the security implication of this, in fact I
used something similar for MultiZilla weeks ago, but I didn't want to ring other
peoples 'bells' before this was fixed (I was blamed for doing so months ago) I
was sure that the "Easy" part would trigger some attention, as it did. Hey,
neil@parkwaycc.co.uk should remember me asking about XPCNativeWrapper in the
newsgroup ;)
> As for new attributes etc, that'd be cool (not that I'm one to decide that), but
> that should be a separate bug.
Comment 43•20 years ago
|
||
Comment on attachment 168913 [details] [diff] [review]
Fix for the more advanced version of the dialog spoof
Well, why don't I review this patch, because I know tabbrowser.xml very well I
think
Attachment #168913 -
Flags: review?(caillon) → review+
Comment 44•20 years ago
|
||
Is this going to warrant a security patch release, and firefox 1.0.1?
Comment 45•20 years ago
|
||
1.7.5 has shipped. Moving request to 1.7.6.
Flags: blocking1.7.5? → blocking1.7.6?
Reporter | ||
Comment 46•20 years ago
|
||
*** Bug 276517 has been marked as a duplicate of this bug. ***
Reporter | ||
Comment 47•20 years ago
|
||
Comment on attachment 168913 [details] [diff] [review]
Fix for the more advanced version of the dialog spoof
sr=dveditz, a=dveditz for 1.7.6
Should this land on the aviary branch in case of a 1.0.1?
Attachment #168913 -
Flags: superreview?(dveditz)
Attachment #168913 -
Flags: superreview+
Attachment #168913 -
Flags: approval1.7.6?
Attachment #168913 -
Flags: approval1.7.6+
Updated•20 years ago
|
Attachment #168913 -
Flags: approval1.8a6?
Attachment #168913 -
Flags: approval-aviary1.0.1?
Comment 48•20 years ago
|
||
Comment on attachment 168913 [details] [diff] [review]
Fix for the more advanced version of the dialog spoof
a=asa for 1.8a6 checkin and 1.0.1 checkin in case we end up doing a 1.0.1
Attachment #168913 -
Flags: approval1.8a6?
Attachment #168913 -
Flags: approval1.8a6+
Attachment #168913 -
Flags: approval-aviary1.0.1?
Attachment #168913 -
Flags: approval-aviary1.0.1+
Comment 49•20 years ago
|
||
Fix landed on trunk. Leaving bug open to track the remaining issues.
Comment 50•20 years ago
|
||
(In reply to comment #49)
> Fix landed on trunk. Leaving bug open to track the remaining issues.
Johnny, thanks for landing this, but what about triggering
DOMWillOpenModalDialog for alert/prompt? Will that work for you?
Comment 51•20 years ago
|
||
Updated•20 years ago
|
Attachment #172380 -
Flags: review?(jst)
Comment 52•20 years ago
|
||
Comment on attachment 172380 [details] [diff] [review]
Complete patch, backported to 1.4
r=jst
Attachment #172380 -
Flags: review?(jst) → review+
Updated•20 years ago
|
Keywords: fixed1.4.4
Comment 53•20 years ago
|
||
Patch (attachment 168913 [details] [diff] [review]) has approval1.7.6+ but was still not checked in for
the 1.7 branch.
Updated•20 years ago
|
Flags: blocking-aviary1.1?
Reporter | ||
Comment 54•20 years ago
|
||
blocking to make sure the 1.7 branch matches Firefox behavior.
Flags: blocking1.7.6?
Flags: blocking1.7.6+
Flags: blocking-aviary1.0.1+
Comment 55•20 years ago
|
||
sounds like we need to + for 1.0.1 and 1.7.6 and minus for 1.1 since the latest
patch is on the trunk...
need to get these fixes on the branches
Flags: blocking-aviary1.1?
Flags: blocking-aviary1.1-
Flags: blocking-aviary1.0.1+
Comment 56•20 years ago
|
||
bryner, can you land this whereever it needs landing and add appropriated fixed*
keywords? thanks.
Updated•20 years ago
|
Whiteboard: http://secunia.com/advisories/12712/ → http://secunia.com/advisories/12712/ have patch - need to land
Assignee | ||
Comment 57•20 years ago
|
||
checked in on aviary 1.0.1 and 1.7 branches
Status: NEW → RESOLVED
Closed: 20 years ago
Resolution: --- → FIXED
Comment 58•20 years ago
|
||
Verified Fixed.
Aviary 1.0.1 branch: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.5)
Gecko/20050218 Firefox/1.0
Mozilla 1.7.6 branch: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.6)
Gecko/20050217
Status: RESOLVED → VERIFIED
Updated•20 years ago
|
Summary: Secunia background tab security issues (SA12712) → Secunia background tab security issues (SA12712 - less critical) -
Comment 59•20 years ago
|
||
(In reply to comment #26)
> (From update of attachment 163896 [details] [diff] [review] [edit])
> OK, so what happens if you load attachment 161075 [details] [edit] in a frame?
>
Status shows FIXED. however with my system : Mozilla/5.0 (Windows; U; Windows NT
5.1; en-GB; rv:1.7.6) Gecko/20050321 Firefox/1.0.2
executing attachment 161075 [details] is still popping up a stealer dialog.
Comment 60•20 years ago
|
||
(In reply to comment #59)
> (In reply to comment #26)
> > (From update of attachment 163896 [details] [diff] [review] [edit] [edit])
> > OK, so what happens if you load attachment 161075 [details] [edit] [edit] in a frame?
> >
>
> Status shows FIXED. however with my system : Mozilla/5.0 (Windows; U; Windows NT
> 5.1; en-GB; rv:1.7.6) Gecko/20050321 Firefox/1.0.2
>
> executing attachment 161075 [details] [edit] is still popping up a stealer dialog.
Sorry. I didn't notice the tab-switch :o(
Updated•16 years ago
|
Product: Core → SeaMonkey
You need to log in
before you can comment on or make changes to this bug.
Description
•