Closed Bug 367428 (CVE-2007-3072) Opened 18 years ago Closed 18 years ago

resource:// directory traversal

Categories

(Core :: Networking, defect, P1)

Product:
Core
Component:
Networking
Platform:
x86
Windows XP
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla1.8.1

People

(Reporter: sync2d, Assigned: benjamin)

References

Details

(Keywords: fixed1.8.0.12, privacy, verified1.8.1.4, Whiteboard: [sg:low])

Attachments

(4 files, 1 obsolete file)

testcase
(deleted), text/html
Details
Don't allow backslash, rev. 1.1
(deleted), patch
Biesinger
: review+
Details | Diff | Splinter Review
Handle escaped backslashes, rev. 1
(deleted), patch
Biesinger
: review+
Details | Diff | Splinter Review
Rollup patch for branches, rev. 1
(deleted), patch
dveditz
: approval1.8.1.4+
dveditz
: approval1.8.0.12+
Details | Diff | Splinter Review
Attached file testcase (deleted) —
resource://gre/../../../../boot.ini => Firefox can't find the file at /boot.ini. resource://gre/..\..\..\..\boot.ini => File loads successfully. This bug can be used to check existence of local files since resource:// and file:// have different restrictions. Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.8.1.2pre) Gecko/20070117 BonEcho/2.0.0.2pre
Flags: wanted1.8.1.x?
Flags: wanted1.8.0.x?
Flags: blocking1.9?
Darin, biesi: this behavior is/was being prevented in the forward-slash case by net_CoalesceDirs (http://lxr.mozilla.org/mozilla/source/netwerk/base/src/nsURLHelper.cpp#208). Perhaps we can just fail if there are any backslashes at all in the resource URL?
Assignee: nobody → benjamin
Status: NEW → ASSIGNED
Flags: blocking1.9? → blocking1.9+
Attached patch Don't allow backslash, rev. 1 (obsolete) (deleted) — Splinter Review
Attachment #253222 - Flags: review?
Attachment #253222 - Flags: review? → review?(darin.moz)
Comment on attachment 253222 [details] [diff] [review] Don't allow backslash, rev. 1 you don't need double backslashes in JavaScript?
Attached patch Don't allow backslash, rev. 1.1 (deleted) — Splinter Review
Indeed I do
Attachment #253222 - Attachment is obsolete: true
Attachment #253328 - Flags: review?(darin.moz)
Attachment #253222 - Flags: review?(darin.moz)
Attachment #253328 - Flags: review?(darin.moz) → review?(cbiesinger)
Priority: -- → P1
Target Milestone: --- → mozilla1.8.1
Attachment #253328 - Flags: review?(cbiesinger) → review+
Comment on attachment 253328 [details] [diff] [review] Don't allow backslash, rev. 1.1 Very low-risk security patch.
Attachment #253328 - Flags: approval1.8.1.3?
Attachment #253328 - Flags: approval1.8.0.11?
Fixed on trunk.
Status: ASSIGNED → RESOLVED
Closed: 18 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
Comment on attachment 253328 [details] [diff] [review] Don't allow backslash, rev. 1.1 This is incorrect, as it doesn't deal with %5C correctly.
Attachment #253328 - Flags: approval1.8.1.3?
Attachment #253328 - Flags: approval1.8.0.11?
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Attachment #256468 - Flags: review?(cbiesinger)
Attachment #256468 - Flags: review?(cbiesinger) → review+
Attachment #256470 - Flags: approval1.8.1.3?
Attachment #256470 - Flags: approval1.8.0.11?
Fixed on trunk, and the testcase even passes ;-)
Status: REOPENED → RESOLVED
Closed: 18 years ago18 years ago
Resolution: --- → FIXED
Whiteboard: [sg:low]
Flags: wanted1.8.1.x?
Flags: wanted1.8.1.x+
Flags: wanted1.8.0.x?
Flags: wanted1.8.0.x+
Flags: blocking1.8.1.4?
Flags: blocking1.8.0.12?
Flags: blocking1.8.1.4?
Flags: blocking1.8.1.4+
Flags: blocking1.8.0.12?
Flags: blocking1.8.0.12+
Comment on attachment 256470 [details] [diff] [review] Rollup patch for branches, rev. 1 approved for 1.8.0.12 and 1.8.1.4, a=dveditz for release-drivers
Attachment #256470 - Flags: approval1.8.1.4?
Attachment #256470 - Flags: approval1.8.1.4+
Attachment #256470 - Flags: approval1.8.0.12?
Attachment #256470 - Flags: approval1.8.0.12+
Landed on MOZILLA_1_8_BRANCH and MOZILLA_1_8_0_BRANCH
Keywords: fixed1.8.0.12, fixed1.8.1.4
v.fixed on 1.8 branch with 2.0.0.4 rc2 build Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.4) Gecko/20070509 Firefox/2.0.0.4
Keywords: fixed1.8.1.4verified1.8.1.4
Please see bug 380994 for a part of this problem that was missed...
Given this has been discussed in public I'm opening this bug http://ha.ckers.org/blog/20070516/read-firefox-settings-poc/#comment-35888
Group: security
Unless I'm missing something, the patches above only addresses this problem on Windows. There's a very similar bug on Mac OS X (and, I'd assume, any *nix) with escaped forward slashes -- URLs of the form "resource:///..%2F..%2F..%2F..%2FUsers" can traverse the entire directory structure. I can successfully and consistently exploit this on Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3 -- it's pretty straightforward, but please email me if you'd like PoC code. My apologies if the OS X bug has already been patched elsewhere, or if it is not related to this bug. I searched bugzilla, but didn't turn up any other bugs that seem relevant. -sq
I vote to reopen this bug. I can reproduce Sam's findings as well. This affects more than just Windows XP and the provided patch does not address the vulnerability on OS X and Linux.
That is bug 380994
Depends on: CVE-2007-3073
Does bug 380994 address the vulnerability in 1.5.0.9 as well? I don't have access to verify.
That bug covers all the branches.
Depends on: 382558
No longer depends on: 382558
Depends on: 382558
Alias: CVE-2007-3072
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: