Cenzic 232 Patent
Paid Advertising
web application security lab

Firefox Popup Blocker Allows Local Access

Cyber Legionnaire pointed me to a link on SecuriTeam to an exploit found by Michael Zalewski that allows malicious users to access local files when users click to agree to have popups appear. This may not seem like that bad a problem on the surface (because when would you allow that to happen on a malicious site?) But the problem is that it’s very easy to control a non-malicious site through (yup, you guessed it) XSS.

If I can XSS a page that a user otherwise trusts and change all the links to tell the user that they must allow popups, they will do so, giving you complete access to the user’s drive in Firefox. Apparently Firefox completely bypasses all same origin policy restrictions once the popup blocker is turned off. Pretty nasty.

3 Responses to “Firefox Popup Blocker Allows Local Access”

  1. Edward Z. Yang Says:

    From what I hear Firefox 2.0 is not affected. Anyone can confirm?

  2. Gavin Sharp Says:

    Edward: There seems to be a lot of confusion everywhere about which versions of Firefox are affected. You can tell from the bug report (Mozilla bug 369427) that all active branches (1.5.0.x, 2.0.0.x and trunk) are affected.

    RSnake: your description of the problem is not quite accurate: The problem only exists when a blocked popup is “allowed once”. That’s not the same as whitelisting the site, so saying “Apparently Firefox completely bypasses all same origin policy restrictions once the popup blocker is turned off” is flat out wrong. If the popup blocker is turned off, or if the site is whitelisted, this problem doesn’t exist, since you can’t “allow once” a popup if it wasn’t blocked in the first place.

    Second: exploiting this bug does not result in “[getting] complete access to the user’s drive”. What you gain with this exploit is the ability to link to a local file, which in turn can access other local files. To truly “get access to the user’s drive” you’d need to have the malicious code already installed on the user’s hard drive. Admittedly, it’s fairly likely you could convince users to save a malicious page to disk if you tried hard enough, and you could also combine this vector with the “predictable random temp file” trick described in Mozilla bug 369428 (the bug describing the use of all these individual issues is Mozilla bug 369390), but the characterization that the floodgates are wide open once this bug is triggered is misleading.

  3. RSnake Says:

    Ah, what I did say was misleading now that I re-read what I wrote. Thanks for the clarification, Gavin - you would know better than I.