[Kazehakase-devel 2932] Re: CVE-2007-1084 bookmarklets cross-site info disclosure

Zurück zum Archiv-Index

Yavor Doganov yavor****@gnu*****
2009年 11月 15日 (日) 22:49:35 JST


Mamoru Tasaka wrote:
> - what is the reasonale for disabling to bookmark uri beginning with
>   "data:"?

The rationale is explained at http://lcamtuf.coredump.cx/ffbook:
,----
| There is an interesting vulnerability in how Firefox handles
| bookmarks. It is relatively easy to trick a casual user into
| bookmarking a window that does not point to any physical location, but
| rather, is an inline data: URL scheme otherwise convincingly
| pretending to be a "tangible" webpage.
| 
| When such a link is later retrieved, Javascript code placed therein
| will execute in the context of a last visited webpage. This is a
| technique used by a legitimate mechanism of bookmarklets - except that
| bookmarklets never attempt to camouflage as a webpage, cannot be
| normally added with Ctrl-D alone, and are expected to be entered and
| invoked as a conscious user action instead.
| 
| The impact of such a vulnerability isn't devastating, but any
| attention-grabbing webpage can spawn such a window for the user to
| bookmark, and then exploit this to launch attacks against, for
| example, common start pages such as Google, MSN, or AOL, possibly
| stealing credentials for services such as Google Mail. In an unlikely
| case the victim is browsing local files or special URLs, system
| compromise is possible.
`----

Note that with my patch it is still possible to add a data: or
javascript: bookmark if the user consciously edits manually the
bookmark (there is probably useful and non-dangerous application of
this functionality, if the user really knows what he's doing).  The
"security" context of allowing this via Bookmarks -> Add to bookmarks
menu is that a webpage can easily trick the user of semi-accidentally
adding a bookmark with subsequent malicious effects as described in
the third paragraph above.

> I have Fedora 12 i686 system and even with firefox 3.5.5
>   I can bookmark such uri (i.e. uri beginning with data:)

All versions of Firefox are vulnerable, yes.  Mozilla people seem to
agree, the relevant upstream bug is (I believe):

https://bugzilla.mozilla.org/show_bug.cgi?id=528772




Kazehakase-devel メーリングリストの案内
Zurück zum Archiv-Index