Closed Bug 72131 Opened 24 years ago Closed 23 years ago

Getting mail directory path using relative link

Categories

(MailNews Core :: Security, defect, P2)

Product:
MailNews Core
Component:
Security
Platform:
x86
Windows NT
Type:
defect

Tracking

(Not tracked)

Status:
VERIFIED FIXED
Milestone:
mozilla0.9.1

People

(Reporter: security-bugs, Assigned: mscott)

References

Details

(Whiteboard: [nsbeta1+])

Attachments

(1 file)

potential fix --> block calls to ::Resolve on mailnews urls.
(deleted), patch
Details | Diff | Splinter Review 
It is possible email message to find the directory where the POP3 mailbox is.
This may lead to attacks against prefs.js.
The code in email message is:
----------------------------------------------
<A HREF="#">LINK1</A>
<script>
alert(document.links[0].href);
</script>
----------------------------------------------


Georgi Guninski
QA Contact: junruh → ckritzer
Qa > ckritzer
Status: NEW → ASSIGNED
Target Milestone: --- → mozilla0.9.1
Mitch and I think this bug depends on 77539 where the base tag mime is
generating isn't being honored.
Depends on: 77539
assigning to mscott (mstoltz believs that your fix to some other bug fixes this
one). If not, please bounce it back to mstoltz.
Assignee: mstoltz → mscott
Status: ASSIGNED → NEW
Keywords: nsbeta1
Priority: -- → P2
Whiteboard: [nsbeta1+]
Okay this blocks calls on nsMsgMailNewsUrl::Resolve. The only time a partial url
can get resolved against a mailnews url is if it's an anchor tag. (See 54373).

Although as I look at this bug report I see that the attack is actually using an
anchor tag to found out the mail path. So I"m not sure how to fix this bug now.
We don't want to lose the ability to have anchors in mail messages if we can
avoid it. Most of our managers use anchors when they write their weekly status
reports and they need to work in the message pand when reading the message =).
An alternative amy be to block scripts in messages from accessing anchor URLs. I
can do that from my end, I think.
Scott, let's check in your patch, and in addition I'll block scripts in mail
from accessing HTMLAnchor.href and related properties. Combined, I think that
will solve the problem.

r=mstoltz on your patch, FWIW.
cool. thanks Mitch. 

I'm checking this bad boy in as soon as the tree opens tonight. 
I checked in the mailnews part to this bug.
Status: NEW → RESOLVED
Closed: 23 years ago
Resolution: --- → FIXED
I already checked in the caps part. That should do it.
No alert thrown.  I also added a document.write() statement and it didn't display 
that either.  Nice job dudes.

Marking VERIFIED FIXED on:
-MacOS91 2001-05-23-08-trunk
-Win98SE 2001-05-23-09-trunk
-LinRH62 2001-05-23-08-trunk
Status: RESOLVED → VERIFIED
Product: MailNews → Core
Product: Core → MailNews Core
Group: netscapeconfidential
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: