User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.5) Gecko/20070713 Firefox/2.0.0.5 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.5) Gecko/20070716 SeaMonkey/1.1.3 Firefox 2.0.0.5 and Thunderbird 2.0.0.5 included a command line argument called -osint which aims to prevent malicious argument injection through URL protocol handler abuse. SeaMonkey does not check the -osint argument. As such, it is possible to open the SeaMonkey suite from other browsers and specify arbitrary command line arguments, such as the -chrome argument. The proof-of-concept exploit uses the mailto: URL protocol handler to open the Mail component of SeaMonkey. This is similar to the vulnerability in http://larholm.com/2007/06/12/safari-for-windows-0day-exploit-in-2-hours/ Reproducible: Always Steps to Reproduce: 1. Close any running SeaMonkey.exe instances 2. Open http://larholm.com/vuln/seamonkeymailto.html in Internet Explorer 3. SeaMonkey shows the alert

I didn't check the "security sensitive" flag on this report as it has already been detailed at http://larholm.com/2007/07/23/seamonkey-suite-affected-by-url-vulnerability/ Cheers

Checking the flag is still good -- it sends extra mail about the bug and we can always uncheck it. I didn't see this bug until well after I saw your blog post and started alerting people. -> mcsmurf per folks on #seamonkey

I tried to reproduce this with Gecko/20070716 SeaMonkey/1.1.3 and Windows XP SP2. I closed SeaMonkey and opened above testcase in Internet Explorer 7. SeaMonkey started with a new mail compose window showing the following address: me@nowhere.com -chrome "javascript:alert(1)" So the -chrome argument got part of the mail address. I also tried the same from the command line, using seamonkey.exe -compose me@nowhere.com -chrome "javascript:alert(1)" Now I got a mail compose window and the alert box. What was different, I wasn't able to close SeaMonkey. Clicking on close removed the mail compose window but the process remained. In my registry HKCR\mailto\shell\command contains that entry C:\PROGRA~1\MOZILLA.ORG\SEAMON~1\SEAMON~1.EXE -compose %1 So I can't reproduce it with my system config.

I can confirm on my WinXP SP2 laptop that using the testcase in the URL of this bug in IE7, SeaMonkey 1.1.3 comes up with only a compose window with even the -chrome in the To: line. No javascript alert, no vulnerability detected. Can someone test this with IE6, maybe it behaves differently in this case. Else, I'm tempted to claim that this bug does not exist in SeaMonkey 1.1.3 (branch).

I have tested this with IE6 and SeaMonkey 1.1.3 on Windows XPSP2 and can confirm that I get the alert.

Comment on attachment 274081 [details] [diff] [review] Branch patch I don't understand this.

Comment on attachment 274081 [details] [diff] [review] Branch patch Let's make this a bit simpler: #ifdef XP_WIN32 if (argc > 1 && !strcmp(argv[1], "-osint")) { if (argc > 4 || argc > 2 && argv[2][0] != '-' && argv[2][0] != '/') return 1; } #endif or as Neil suggested: #ifdef XP_WIN32 if (argc > 4 && !strcmp(argv[1], "-osint")) return 1; #endif since we only have to worry about those cases where we ourselves put -osint on the command line, so we know it'll be followed by a '-' or '/'.

We can probably assume that -osint is only going to be passed by applications launching us via the registery entries so we don't have to do extensive checking but simply test that we're not seeing unexpected numbers of arguments.

Comment on attachment 274206 [details] [diff] [review] Simplified patch Once this has proper reviews (I hope this is very soon, we should really get 1.1.4 out the door), please check this in to both MOZILLA_1_8_BRANCH (1.1.5) and GECKO181_20070712_RELBRANCH (1.1.4)

Comment on attachment 274206 [details] [diff] [review] Simplified patch r=me

Fix checked in.