User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.7) Gecko/20050408 Firefox/1.0.3 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.7) Gecko/20050408 Firefox/1.0.3 By creating a special sherlock file it is possible to run javascript code in the security context of the currently active tab. This allows to create search engines that silently monitor all website displayed while searching (e.g. to steal sessions cookies) and/or that wait for a privileged page (e.g. chrome or about:config) to run arbitrary code. Reproducible: Always Steps to Reproduce: 1. Open http://bugzilla:Je5Zw8k@www.mikx.de/firesearching/ 2. Follow instructions The demo adds a new search engine (called Firesearching) by calling sidebar.addSearchEngine() that behaves like a normal Google search. When searching with that engine an alert shows that the engine has javascript access to the currently active tab. An attacker could silently send the information to another host instead. When the currently displayed site is privileged (chrome or about:config) the demo requests UniversalXPConnect rights, creates c:\booom.bat and launches the batch file (shows a directoy listing in a dos box). This part is Windows only, which is a limitation of the demo - the bug affects all platforms.

Comment on attachment 180510 [details] [diff] [review] search only intended to supports http -- make it so r=ben@mozilla.org

Comment on attachment 180510 [details] [diff] [review] search only intended to supports http -- make it so a=asa

Comment on attachment 180510 [details] [diff] [review] search only intended to supports http -- make it so a=chase for branches

blocking1.7.7+

I'm not sure what "only HTTP" (vs., say, gopher or FTP) really means, but if you think that's the right thing, sr=dbaron.

Fix checked in to trunk plus 1.7 and aviary branches

Fix released

Fix landed on trunk Apr 12 (see comment 7). FIXED.

This is SA14938's vulnerability #5; http://secunia.com/advisories/14938/ and CAN-2005-1156 available at http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1156 .

(In reply to comment #0) > User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.7) Gecko/20050408 Firefox/1.0.3 > Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.7) Gecko/20050408 Firefox/1.0.3 > > By creating a special sherlock file it is possible to run javascript code in the > security context of the currently active tab. This allows to create search > engines that silently monitor all website displayed while searching (e.g. to > steal sessions cookies) and/or that wait for a privileged page (e.g. chrome or > about:config) to run arbitrary code. > > > Reproducible: Always > > Steps to Reproduce: > 1. Open http://bugzilla:Je5Zw8k@www.mikx.de/firesearching/ > 2. Follow instructions > > > > The demo adds a new search engine (called Firesearching) by calling > sidebar.addSearchEngine() that behaves like a normal Google search. When > searching with that engine an alert shows that the engine has javascript access > to the currently active tab. An attacker could silently send the information to > another host instead. > > When the currently displayed site is privileged (chrome or about:config) the > demo requests UniversalXPConnect rights, creates c:\booom.bat and launches the > batch file (shows a directoy listing in a dos box). This part is Windows only, > which is a limitation of the demo - the bug affects all platforms. Hi Michael, Would you please compose a new test case for mozilla? With this case you provided here I can't reproduce this bug on mozilla/linux while the os of this bug is set to all. Please send it to tim.miao@sun.com. Thanks.

Tim, this case does work on Mozilla Suite.