Firefox Popup Blocker Allows Local Access
Cyber Legionnaire pointed me to a link on SecuriTeam to an exploit found by Michael Zalewski that allows malicious users to access local files when users click to agree to have popups appear. This may not seem like that bad a problem on the surface (because when would you allow that to happen on a malicious site?) But the problem is that it’s very easy to control a non-malicious site through (yup, you guessed it) XSS.
If I can XSS a page that a user otherwise trusts and change all the links to tell the user that they must allow popups, they will do so, giving you complete access to the user’s drive in Firefox. Apparently Firefox completely bypasses all same origin policy restrictions once the popup blocker is turned off. Pretty nasty.
February 9th, 2007 at 8:06 pm
From what I hear Firefox 2.0 is not affected. Anyone can confirm?
February 9th, 2007 at 11:14 pm
Edward: There seems to be a lot of confusion everywhere about which versions of Firefox are affected. You can tell from the bug report (Mozilla bug 369427) that all active branches (1.5.0.x, 2.0.0.x and trunk) are affected.
RSnake: your description of the problem is not quite accurate: The problem only exists when a blocked popup is “allowed once”. That’s not the same as whitelisting the site, so saying “Apparently Firefox completely bypasses all same origin policy restrictions once the popup blocker is turned off” is flat out wrong. If the popup blocker is turned off, or if the site is whitelisted, this problem doesn’t exist, since you can’t “allow once” a popup if it wasn’t blocked in the first place.
Second: exploiting this bug does not result in “[getting] complete access to the user’s drive”. What you gain with this exploit is the ability to link to a local file, which in turn can access other local files. To truly “get access to the user’s drive” you’d need to have the malicious code already installed on the user’s hard drive. Admittedly, it’s fairly likely you could convince users to save a malicious page to disk if you tried hard enough, and you could also combine this vector with the “predictable random temp file” trick described in Mozilla bug 369428 (the bug describing the use of all these individual issues is Mozilla bug 369390), but the characterization that the floodgates are wide open once this bug is triggered is misleading.
February 10th, 2007 at 8:03 pm
Ah, what I did say was misleading now that I re-read what I wrote. Thanks for the clarification, Gavin - you would know better than I.