User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.7.6) Gecko/20050223 Firefox/1.0.1 Build Identifier: Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.8b2) Gecko/20050302 Firefox/1.0+ "window.sidebar.addPanel" function allows you to bookmark any document as bookmark panel. If an attacker could convince a user to bookmark an arbitrary XPI file disguised as some useful site, this could be used to bypass XPI whitelist. Reproducible: Always Steps to Reproduce: 1. open testcase 2. click "Bookmark This Page..." and bookmark it 3. select "Some Useful Site" from bookmark Actual Results: XPI is loaded in the sidebar, whitelist is ignored and install dialog is shown immediately. Expected Results: XPI is loaded in the sidebar, but whitelist blocks the installation and the appropriate information bar is shown. Mark this as Security-Sensitive Bug just like Bug 264560.

Nominating to block releases, and adding some people who could maybe help out.

Bypassing the whitelist is not a security problem requiring the confidential flag, especially not one that requires convincing a user to bookmark an unknown link. The reason this bypasses the whitelist is because we explicitly remove referrer information from bookmarks for privacy reasons. What reasonable referrer could we use? We only know the user has bookmarked it and in that case we must assume the user wanted it. It doesn't need to be a panel, any bookmark to a .xpi would equally bypass the whitelist.

Another testcase is here. How about this?

> Another testcase is here. How about this? OK, got me there -- but that's really your bug 290079 isn't it? I guess that depends on how mconnor fixes that one.

I'm testing 2005-04-13-00-aviary1.0.1. The patch proposed in Bug 290079 added appropriate security check, but doesn't block XPI installation.

blocking-aviary1.0.3-

If the whitelist is bypassed easily, some kind of attack can be done successfully on Firefox. This bug contains potential hazards such as bug 293331.

Also see MFSA 2005-42: http://www.mozilla.org/security/announce/mfsa2005-42.html Firefox is more secure than Mozilla Suite? Nope. Nominate for 1.1 again.

The whitelist solely allows the site to present an install dialog. How is this exploitable in a way that a whitelisted site can't exploit someone? Or is this just a defence in depth case, where future attacks against the dialog can be somehow mitigated here?

If you ask me, the risks of whitelist bypassing is dwarfed by the horrendously bad ideas demonstrated by your testcases of 1) having the addPanel() dialog not show the URL being bookmarked and 2) letting any site anywhere at any time open or replace your sidebar using target=_search. Especially the latter.

->EM

The EM doesn't use the whitelist... xpinstall uses it and if it satisfies the whitelist requirement cpinstall opens the xpinstall dialog. Still though, this works in the main content area just fine and it doesn't work in the sidebar's content area. I don't see a component appropriate for the sidebar in Firefox so Firefox -> General

Comment on attachment 180497 [details] testcase 2 The "_search" target doesn't work anymore

Yeah, we removed it in bug 438526.

Give me a couple more years, and the story will be that I removed it because of things like this ;)

if i'm not wrong, actual Add Bookmarks panel shows the location when it is called through sidebar.AddPanel()

Bug 691647 removed addPanel.