Yavor Doganov
yavor****@gnu*****
2009年 11月 15日 (日) 22:49:35 JST
Mamoru Tasaka wrote: > - what is the reasonale for disabling to bookmark uri beginning with > "data:"? The rationale is explained at http://lcamtuf.coredump.cx/ffbook: ,---- | There is an interesting vulnerability in how Firefox handles | bookmarks. It is relatively easy to trick a casual user into | bookmarking a window that does not point to any physical location, but | rather, is an inline data: URL scheme otherwise convincingly | pretending to be a "tangible" webpage. | | When such a link is later retrieved, Javascript code placed therein | will execute in the context of a last visited webpage. This is a | technique used by a legitimate mechanism of bookmarklets - except that | bookmarklets never attempt to camouflage as a webpage, cannot be | normally added with Ctrl-D alone, and are expected to be entered and | invoked as a conscious user action instead. | | The impact of such a vulnerability isn't devastating, but any | attention-grabbing webpage can spawn such a window for the user to | bookmark, and then exploit this to launch attacks against, for | example, common start pages such as Google, MSN, or AOL, possibly | stealing credentials for services such as Google Mail. In an unlikely | case the victim is browsing local files or special URLs, system | compromise is possible. `---- Note that with my patch it is still possible to add a data: or javascript: bookmark if the user consciously edits manually the bookmark (there is probably useful and non-dangerous application of this functionality, if the user really knows what he's doing). The "security" context of allowing this via Bookmarks -> Add to bookmarks menu is that a webpage can easily trick the user of semi-accidentally adding a bookmark with subsequent malicious effects as described in the third paragraph above. > I have Fedora 12 i686 system and even with firefox 3.5.5 > I can bookmark such uri (i.e. uri beginning with data:) All versions of Firefox are vulnerable, yes. Mozilla people seem to agree, the relevant upstream bug is (I believe): https://bugzilla.mozilla.org/show_bug.cgi?id=528772