Subject: Firefox Cache Hack - Firefox History Hack redux From: "pdp (architect)" <pdp.gnucitizen@googlemail.com> To: full-disclosure@lists.grok.org.uk, bugtraq@securityfocus.com, "WASC Forum" <websecurity@webappsec.org> Date: Fri, 23 Feb 2007 12:32:29 +0000 Message-ID: <6905b1570702230432q5a0a5b7eq4839d709748f9b90@mail.gmail.com> http://www.gnucitizen.org/projects/hscan-redux/ [...] This vulnerability is not a reworked version of Jeremiah Grossman history hack. It is completely different and it should be treated as a new issue. The peculiar thing about this vulnerability is that it tells you which URLs you have attended during the current browser session (the last time you opened your browser). I am not sure how useful this is. Keep in mind that attackers can abuse this vulnerability in order to extract valuable information about your browsing habits. They can also use this hack to precisely detect whether you are logged into your router management interface. They can use this hack to detect your router type and version as well. Based on this information, they might be able to compromise the integrity of your network. The POC is located [... below]. If all checks show up as NOT visited, then visit one of the listed URLs and retest again. http://www.gnucitizen.org/projects/hscan-redux/poc.htm

It seems you can only test for specific URLs, not really getting the list. Compare bug 147777.

So on trunk this doesn't work at all, because CheckLoadURI blocks the loads. On branch, it doesn't because about: is a ChromeProtocol and <script> is allowed to load such on branch (because we want to allow loading of chrome:// scripts or something). Now why the heck is about: a ChromeProtocol instead of a DenyProtocol? It used to be the latter, but then the change to implement about:about in bug 56061 changed it. The comments about the security implications of that change in that bug are completely bogus. It allowed a heck of a lot more than chrome:// URIs to load about: URIs. And more importantnly, chrome:// should already have the system principal, so on the 1.8 branch (where we use CheckLoadURIWithPrincipal in all the sane cases) we really don't need that change.

Why should <script> be able to load chrome:// ?

Long story which doesn't really belong here. See bug 292789.

Comment on attachment 256194 [details] [diff] [review] Fix r/sr=dveditz

Note that this means on-disk help pages can't link to things like about:license or about:credits. Not worth opening privacy holes for, but prepare for complaints.

Not sure why this was filed as a trunk bug, since the issue is branch-only.

> Note that this means on-disk help pages Hmm... Are those something we ship?

we (Mozilla) don't, no, but some distros/OEMs might. But then, I'm not sure they're linking to about: anything from there. Just thought I'd mention it in case it reminded someone of a similar use.

Comment on attachment 256194 [details] [diff] [review] Fix approved for 1.8/1.8.0 branches, a=dveditz for drivers

Fixed on both branches, tests checked in.