Closed
Bug 72131
Opened 24 years ago
Closed 23 years ago
Getting mail directory path using relative link
Categories
(MailNews Core :: Security, defect, P2)
Tracking
(Not tracked)
VERIFIED
FIXED
mozilla0.9.1
People
(Reporter: security-bugs, Assigned: mscott)
References
Details
(Whiteboard: [nsbeta1+])
Attachments
(1 file)
(deleted),
patch
|
Details | Diff | Splinter Review |
It is possible email message to find the directory where the POP3 mailbox is.
This may lead to attacks against prefs.js.
The code in email message is:
----------------------------------------------
<A HREF="#">LINK1</A>
<script>
alert(document.links[0].href);
</script>
----------------------------------------------
Georgi Guninski
Updated•24 years ago
|
QA Contact: junruh → ckritzer
Comment 1•24 years ago
|
||
Qa > ckritzer
Reporter | ||
Updated•23 years ago
|
Status: NEW → ASSIGNED
Target Milestone: --- → mozilla0.9.1
Assignee | ||
Comment 2•23 years ago
|
||
Mitch and I think this bug depends on 77539 where the base tag mime is
generating isn't being honored.
Depends on: 77539
Comment 3•23 years ago
|
||
assigning to mscott (mstoltz believs that your fix to some other bug fixes this
one). If not, please bounce it back to mstoltz.
Assignee: mstoltz → mscott
Status: ASSIGNED → NEW
Updated•23 years ago
|
Assignee | ||
Comment 4•23 years ago
|
||
Assignee | ||
Comment 5•23 years ago
|
||
Okay this blocks calls on nsMsgMailNewsUrl::Resolve. The only time a partial url
can get resolved against a mailnews url is if it's an anchor tag. (See 54373).
Although as I look at this bug report I see that the attack is actually using an
anchor tag to found out the mail path. So I"m not sure how to fix this bug now.
We don't want to lose the ability to have anchors in mail messages if we can
avoid it. Most of our managers use anchors when they write their weekly status
reports and they need to work in the message pand when reading the message =).
Reporter | ||
Comment 6•23 years ago
|
||
An alternative amy be to block scripts in messages from accessing anchor URLs. I
can do that from my end, I think.
Reporter | ||
Comment 7•23 years ago
|
||
Scott, let's check in your patch, and in addition I'll block scripts in mail
from accessing HTMLAnchor.href and related properties. Combined, I think that
will solve the problem.
r=mstoltz on your patch, FWIW.
Assignee | ||
Comment 8•23 years ago
|
||
cool. thanks Mitch.
I'm checking this bad boy in as soon as the tree opens tonight.
Assignee | ||
Comment 9•23 years ago
|
||
I checked in the mailnews part to this bug.
Status: NEW → RESOLVED
Closed: 23 years ago
Resolution: --- → FIXED
Reporter | ||
Comment 10•23 years ago
|
||
I already checked in the caps part. That should do it.
Comment 11•23 years ago
|
||
No alert thrown. I also added a document.write() statement and it didn't display
that either. Nice job dudes.
Marking VERIFIED FIXED on:
-MacOS91 2001-05-23-08-trunk
-Win98SE 2001-05-23-09-trunk
-LinRH62 2001-05-23-08-trunk
Status: RESOLVED → VERIFIED
Updated•20 years ago
|
Product: MailNews → Core
Updated•16 years ago
|
Product: Core → MailNews Core
Updated•14 years ago
|
Group: netscapeconfidential
You need to log in
before you can comment on or make changes to this bug.
Description
•