Closed Bug 293424 Opened 20 years ago Closed 19 years ago

Malicious website can access chrome

Categories

(Core :: Security: CAPS, defect)

Product:
Core
Component:
Security: CAPS
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
major

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: pvnick, Assigned: mconnor)

References

(
URL
)

Details

(Keywords: fixed-aviary1.0.5, fixed1.7.9, Whiteboard: [sg:fix] need landing)

Attachments

(1 file)

block about: from chrome
(deleted), patch
brendan
: superreview+
jay
: approval-aviary1.0.5+
brendan
: approval-aviary1.1a2+
Details | Diff | Splinter Review
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322) Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.7) Gecko/20050414 Firefox/1.0.3 The url "about:" can be accessed by a website, but it takes some cross site scripting (using another vuln submitted by me) to javascript:document.write (""); onto the about: page to show its true url (chrome://global/content/about.xhtml). From there, the page is treated under chrome priviledges and system access is easy. Reproducible: Always Steps to Reproduce: 1. http://greyhatsecurity.org/secretfoldervulns/about.htm 2. Click the link 3. Wait about 2 seconds Actual Results: Script executed in chrome Expected Results: about: page navigation from internet pages should be disallowed
Status: UNCONFIRMED → NEW
Ever confirmed: true
Flags: blocking1.8b3+
Flags: blocking-aviary1.1+
Flags: blocking-aviary1.0.4+
Whiteboard: [sg:fix]
Blocks: sbb?
Testcase doesn't work in my current build, but linking to about: seems to be a bad thing in general.
Assignee: nobody → mconnor
Whiteboard: [sg:fix] → [sg:fix] -need patch
Attached patch block about: from chrome (deleted) — Splinter Review
I can't think of anything this would break... We should think about the "about:foo points to chrome" concept as a potential attack vector in general. Shaver's suggestion was to deprivillege about: completely, moving about:config and friends requiring chrome access to system:*, and possibly blocking any linking to these URLs. What's left in about: should not have chrome URLs or any privs at all. But for the branch, we can just flip this off, the others seem to be safe, for now (and in about 5 minutes, someone will prove me wrong I'm sure).
Attachment #186337 - Flags: superreview?(brendan)
Attachment #186337 - Flags: review?(brendan)
Brendan: Can you review the patches and give the a= so we can get this checked in soon? Thanks.
Comment on attachment 186337 [details] [diff] [review] block about: from chrome Yeah, let's go. This is overdue. /be
Attachment #186337 - Flags: superreview?(brendan)
Attachment #186337 - Flags: superreview+
Attachment #186337 - Flags: review?(brendan)
Attachment #186337 - Flags: review+
Attachment #186337 - Flags: approval-aviary1.1a2+
Comment on attachment 186337 [details] [diff] [review] block about: from chrome We want this on the branch too. a=jay
Attachment #186337 - Flags: approval-aviary1.0.5+
i seem to recall having a patch which we backed out that let documents retain their proper url instead of having them morph :(
Component: General → Security: CAPS
Flags: review+
Product: Firefox → Core
Version: unspecified → Trunk
Updated product/component per timeless. Since this is core, we should probably get this in 1.7.9 also, right? Nominating...
Flags: blocking1.7.9?
Whiteboard: [sg:fix] -need patch → [sg:fix] need landing
checked in to aviary/1.7/trunk
Status: NEW → RESOLVED
Closed: 19 years ago
Keywords: fixed-aviary1.0.5, fixed1.7.9
Resolution: --- → FIXED
Flags: blocking1.7.9? → blocking1.7.9+
v.fixed on aviary with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.9) Gecko/20050706 Firefox/1.0.5 using original testcase. about: cannot be loaded.
Adding distributors
FF1.0.5 advisories published
Group: security
Flags: testcase+
Flags: in-testsuite+ → in-testsuite?
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: