Code execution through javascript: favicons

Bug #16231 reported by Tres Seaver on 2005-04-19
30
Affects Status Importance Assigned to Milestone
firefox (Ubuntu)
Critical
Thom May

Bug Description

Firefox and the Mozilla Suite support custom "favicons" through the <LINK
rel="icon"> tag. If a link tag is added to the page programmatically and a
javascript: url is used, then script will run with elevated privileges and could
run or install malicious software.

Workaround: Disable javascript.

Fixed in: Firefox 1.0.3 / Mozilla Suite 1.7.7

References:

 - http://www.mikx.de/firelinking/

 - https://bugzilla.mozilla.org/show_bug.cgi?id=290036

http://www.mozilla.org/security/announce/mfsa2005-37.html: http://www.mozilla.org/security/announce/mfsa2005-37.html

David Klotz (ravenmokel) wrote :

This is pretty serious, i just tried out the demo-exploit from
http://www.mikx.de/firelinking/ on my hoary firefox and it worked
and succesfully created a file in my home directory just by
opening a link.
I think ff 1.0.3. should definitely go into hoary-updates or the
fixes should at least be backported to the 1.0.2 in hoary (but i don't
really see a reason for not updating to 1.0.3, we're not debian stable ;)).
And it's not the only serious hole in 1.0.2, just take a look at
what was fixed in 1.0.3 on
http://www.mozilla.org/projects/security/known-vulnerabilities.html

bye,
david

removed (removed) wrote :

*** Bug 16476 has been marked as a duplicate of this bug. ***

removed (removed) wrote :

Jdong has produced a backport that fixes this issue.

Maybe this can be promoted to the official Ubuntu repositories?

Created an attachment (id=2181)
possible patch

This is the (trivial) patch that seemingly went into 1.0.3 to fix this issue.
Just slightly adapted to match hoary's firefox. From a quick glance at 0.9.3's
source, this should be easy to adapt to warty, too.

Thom May (thombot) wrote :

We have patches prepared for this and other issues, and are currently testing
them for a release early next week.

Thom May (thombot) wrote :

*** Bug 16536 has been marked as a duplicate of this bug. ***

removed (removed) wrote :

A full week past, still no patch?

Thom May (thombot) wrote :

(In reply to comment #7)
> A full week past, still no patch?

It's in the security queue. You do realise that 1.0.3 had about 10 security
vulns and all of them needed testing and patching, not just this one, right?

removed (removed) wrote :

(In reply to comment #8)
> (In reply to comment #7)
> > A full week past, still no patch?
>
> It's in the security queue. You do realise that 1.0.3 had about 10 security
> vulns and all of them needed testing and patching, not just this one, right?

Yes, I do. But this bug is a serious breach of security, which makes some
people (including me) very nervous.
Are there problems applying the patches?

Thom May (thombot) wrote :

As I said "It's in the security queue." this means it's done and merely waiting
for a security release.

removed (removed) wrote :

(In reply to comment #10)
> As I said "It's in the security queue." this means it's done and merely waiting
> for a security release.

Does this include patches for Warty?

Please bear in mind that Firefox release 1.0.3 did not close this favicons code
execution bug completetly. For example, the "c't Browser demo" at
http://www.heise.de/security/dienste/browsercheck/demos/nc/mozdemo3.shtml still
works with Firefox 1.0.3 as well as with the latest Ubuntu Firefox package
("c't" is a major computer magazine in Germany. Just click at "Test ausführen".
Then, a xterm will open that shows all files on your hard drive). This bug is
fixed in Firefox 1.0.4. Please include these fixes in the next Hoary security
release.

removed (removed) wrote :

It's great that the patch is out (although the c't test seems to indicate that
it is not completely fixed).
But, what about Warty? If have two boxes (out of 4) still running Warty.

Martin Pitt (pitti) wrote :

Warty was fixed in USN-149-3.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Duplicates of this bug

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.