Bug#556272: epiphany-browser: CVE-2007-1084 bookmarklets cross-site info disclosure
I do know of a few popular sites that use bookmarklets, such as Delicious (http://delicious.com/help/bookmarklets). It can be useful for simple, cross-browser tasks. Using 2.22.3 the mouseover text (if it's in your toolbar) does warn you: Executes the script Bookmarklet Name But dragging it to the toolbar produces no warning whatsoever. In my quick testing, no browser throws a warning when using drag-and-drop. I agree that there should be some sort of notification that the bookmark being added contains Javascript and could be malicious. Peter Chapman -- From: Mike Hommey m...@glandium.org Sent: Monday, November 16, 2009 1:00 PM To: Michael Gilbert michael.s.gilb...@gmail.com; 556...@bugs.debian.org Subject: Re: Bug#556272: epiphany-browser: CVE-2007-1084 bookmarklets cross-site info disclosure On Mon, Nov 16, 2009 at 11:48:29AM -0500, Michael Gilbert wrote: so, you're saying that this is a good feature and hence must be kept based on the fact that it is currently available in a lot of browsers (i.e. all gecko-based browsers and no webkit/khtml browsers)? It works in (at least) safari, IE, Firefox and Opera. I'm pretty sure it at least worked before in Konqueror. Mike -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#556272: epiphany-browser: CVE-2007-1084 bookmarklets cross-site info disclosure
On Mon, 16 Nov 2009 09:53:36 +0100, Josselin Mouette wrote: Le lundi 16 novembre 2009 à 09:37 +0100, Mike Hommey a écrit : On Mon, Nov 16, 2009 at 09:17:58AM +0100, Josselin Mouette wrote: What’s a bookmarklet? I don’t even know whether epiphany supports this. It's javascript code you bookmark and can run on any site. A bit like greasemonkey, but crossbrowser. It's designed to run in the current page context, so the security issue here is by design. Confirmation before saving the bookmarklet to the list of bookmarks? If so, I’d say epiphany is not affected, since it always ask for confirmation whenever you bookmark something. right, but the current dialog doesn't throw up a scary warning saying that the bookmark contains potentially dangerous javascript, so some work would need to be done to implement that. or, the safer solution would be to disallow javascript in bookmarks. who in their right mind needs that (anti)feature anyway??? note that with respect to epiphany, only the gecko backend is affected. webkit currently acts wacky when bookmarking a site with javascript in the bookmark. mike -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#556272: epiphany-browser: CVE-2007-1084 bookmarklets cross-site info disclosure
On Mon, Nov 16, 2009 at 11:25:04AM -0500, Michael Gilbert wrote: On Mon, 16 Nov 2009 09:53:36 +0100, Josselin Mouette wrote: Le lundi 16 novembre 2009 à 09:37 +0100, Mike Hommey a écrit : On Mon, Nov 16, 2009 at 09:17:58AM +0100, Josselin Mouette wrote: What’s a bookmarklet? I don’t even know whether epiphany supports this. It's javascript code you bookmark and can run on any site. A bit like greasemonkey, but crossbrowser. It's designed to run in the current page context, so the security issue here is by design. Confirmation before saving the bookmarklet to the list of bookmarks? If so, I’d say epiphany is not affected, since it always ask for confirmation whenever you bookmark something. right, but the current dialog doesn't throw up a scary warning saying that the bookmark contains potentially dangerous javascript, so some work would need to be done to implement that. or, the safer solution would be to disallow javascript in bookmarks. who in their right mind needs that (anti)feature anyway??? It's a very useful feature. There has been some kind of DOM inspector in such bookmarks way before firebug existed, and it has the advantage of being cross browsers. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#556272: epiphany-browser: CVE-2007-1084 bookmarklets cross-site info disclosure
On Mon, 16 Nov 2009 17:34:39 +0100, Mike Hommey wrote: On Mon, Nov 16, 2009 at 11:25:04AM -0500, Michael Gilbert wrote: On Mon, 16 Nov 2009 09:53:36 +0100, Josselin Mouette wrote: Le lundi 16 novembre 2009 à 09:37 +0100, Mike Hommey a écrit : On Mon, Nov 16, 2009 at 09:17:58AM +0100, Josselin Mouette wrote: What’s a bookmarklet? I don’t even know whether epiphany supports this. It's javascript code you bookmark and can run on any site. A bit like greasemonkey, but crossbrowser. It's designed to run in the current page context, so the security issue here is by design. Confirmation before saving the bookmarklet to the list of bookmarks? If so, I’d say epiphany is not affected, since it always ask for confirmation whenever you bookmark something. right, but the current dialog doesn't throw up a scary warning saying that the bookmark contains potentially dangerous javascript, so some work would need to be done to implement that. or, the safer solution would be to disallow javascript in bookmarks. who in their right mind needs that (anti)feature anyway??? It's a very useful feature. There has been some kind of DOM inspector in such bookmarks way before firebug existed, addons seem like a better place for code/script execution anyway (since there already warnings about installing/running that stuff). from my perspective (and from a solid security standpoint) bookmarks should be static. i.e. users should get what they expect every single time they click the bookmark. and it has the advantage of being cross browsers. so, you're saying that this is a good feature and hence must be kept based on the fact that it is currently available in a lot of browsers (i.e. all gecko-based browsers and no webkit/khtml browsers)? mike -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#556272: epiphany-browser: CVE-2007-1084 bookmarklets cross-site info disclosure
On Mon, Nov 16, 2009 at 11:48:29AM -0500, Michael Gilbert wrote: so, you're saying that this is a good feature and hence must be kept based on the fact that it is currently available in a lot of browsers (i.e. all gecko-based browsers and no webkit/khtml browsers)? It works in (at least) safari, IE, Firefox and Opera. I'm pretty sure it at least worked before in Konqueror. Mike -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#556272: epiphany-browser: CVE-2007-1084 bookmarklets cross-site info disclosure
Le samedi 14 novembre 2009 à 20:36 -0500, Michael Gilbert a écrit : The following CVE (Common Vulnerabilities Exposures) id was published. CVE-2007-1084[0]: | Mozilla Firefox 2.0.0.1 and earlier does not prompt users before | saving bookmarklets, which allows remote attackers to bypass the | same-domain policy by tricking a user into saving a bookmarklet with a | data: scheme, which is executed in the context of the last visited web | page. If you fix the vulnerability please also make sure to include the CVE id in your changelog entry. What’s a bookmarklet? I don’t even know whether epiphany supports this. Cheers, -- .''`. Josselin Mouette : :' : `. `' “I recommend you to learn English in hope that you in `- future understand things” -- Jörg Schilling signature.asc Description: Ceci est une partie de message numériquement signée
Bug#556272: epiphany-browser: CVE-2007-1084 bookmarklets cross-site info disclosure
On Mon, Nov 16, 2009 at 09:17:58AM +0100, Josselin Mouette wrote: Le samedi 14 novembre 2009 à 20:36 -0500, Michael Gilbert a écrit : The following CVE (Common Vulnerabilities Exposures) id was published. CVE-2007-1084[0]: | Mozilla Firefox 2.0.0.1 and earlier does not prompt users before | saving bookmarklets, which allows remote attackers to bypass the | same-domain policy by tricking a user into saving a bookmarklet with a | data: scheme, which is executed in the context of the last visited web | page. If you fix the vulnerability please also make sure to include the CVE id in your changelog entry. What’s a bookmarklet? I don’t even know whether epiphany supports this. It's javascript code you bookmark and can run on any site. A bit like greasemonkey, but crossbrowser. It's designed to run in the current page context, so the security issue here is by design. To alleviate the broken-by-design part, the CVE says the browser should ask for confirmation, like everybody reads alerts and make informed decisions. Haha. Mike -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#556272: epiphany-browser: CVE-2007-1084 bookmarklets cross-site info disclosure
Le lundi 16 novembre 2009 à 09:37 +0100, Mike Hommey a écrit : On Mon, Nov 16, 2009 at 09:17:58AM +0100, Josselin Mouette wrote: What’s a bookmarklet? I don’t even know whether epiphany supports this. It's javascript code you bookmark and can run on any site. A bit like greasemonkey, but crossbrowser. It's designed to run in the current page context, so the security issue here is by design. Confirmation before saving the bookmarklet to the list of bookmarks? If so, I’d say epiphany is not affected, since it always ask for confirmation whenever you bookmark something. To alleviate the broken-by-design part, the CVE says the browser should ask for confirmation, like everybody reads alerts and make informed decisions. Haha. Another case of “security by unusability” I guess. After the huge sucess of Vista and Firefox 3… Cheers, -- .''`. Josselin Mouette : :' : `. `' “I recommend you to learn English in hope that you in `- future understand things” -- Jörg Schilling signature.asc Description: Ceci est une partie de message numériquement signée
Bug#556272: epiphany-browser: CVE-2007-1084 bookmarklets cross-site info disclosure
Package: epiphany-browser Version: 2.29.1-2 Severity: serious Tags: security Hi, The following CVE (Common Vulnerabilities Exposures) id was published. CVE-2007-1084[0]: | Mozilla Firefox 2.0.0.1 and earlier does not prompt users before | saving bookmarklets, which allows remote attackers to bypass the | same-domain policy by tricking a user into saving a bookmarklet with a | data: scheme, which is executed in the context of the last visited web | page. If you fix the vulnerability please also make sure to include the CVE id in your changelog entry. For further information see: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1084 http://security-tracker.debian.org/tracker/CVE-2007-1084 -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org