[prev in list] [next in list] [prev in thread] [next in thread]
List: kfm-devel
Subject: Re: Possible security problem in KHTML or KMail?
From: Vadim Plessky <lucy-ples () mtu-net ! ru>
Date: 2001-10-11 13:05:54
[Download RAW message or body]
Hi,
On Wednesday 10 October 2001 01:29, Malte Starostik wrote:
| Hi,
|
| Vadim's message:
| Subject: crash on amdzone.com - from ad.doubleclick.net
| From: Vadim Plessky <lucy-ples@mtu-net.ru>
| To: 30266@bugs.kde.org
| Cc: KFM Devel <kfm-devel@master.kde.org>
|
| caused the following error message to appear when I clicked on it in
| KMail. "Unable to run the command specified. The file or directory
| file:/ads1_files/B46014;sZ=468x60;siteid=C296;ord=[timestamp].htm"
Hmm. At a first glance, this just confirms rumors circulating around that
ad.doubleclick.net creates potential threat to security (and collects private
information about web sites' visitors...)
NOTE that content of this IFRAME can have HTML file *with JavaScript*!
And if it's coming from different domain (not domain main page located at),
it can be enabled and exposure potential security threat.
Please consider slightly modifies testcase:
-----------------------------------
<HTML><HEAD>
</HEAD>
<BODY>
<body>
<P>Hello!</P>
<iframe id="fr1" width="200" height="300" src="/etc/passwd">
</iframe>
<SCRIPT language=Javascript>
alert("hello");
el=document.getElementsByTagName("IFRAME").item(0);
// el=document.getElementsByTagName("P").item(0);
alert ( "el="+el);
document.write("<BR> IFRAME id= "+el.id);
document.write("<BR> IFRAME.hasChildNodes() "+el.hasChildNodes());
if ( el.hasChildNodes() )
{
document.write("<BR> childNodes ="+el.childNodes);
document.write("<BR> childNodes.length ="+el.childNodes.length);
a = el.childNodes.item(0);
document.write("<BR> a= "+a);
document.write("<BR> content:");
document.write("<P>"+ a.nodeValue);
}
document.write("<BR> IFRAME.contentDocument "+el.contentDocument());
</SCRIPT>
</BODY>
</HTML>
-----------------------------------
Executing this testcase in Konq, I get:
~ ~ ~ ~ ~ ~
IFRAME id= fr1
IFRAME.hasChildNodes() false
IFRAME.contentDocument (Internal function)
and in Mozilla:
~ ~ ~ ~ ~ ~
IFRAME id= fr1
IFRAME.hasChildNodes() true
childNodes =[xpconnect wrapped NodeList]
childNodes.length =1
a= [xpconnect wrapped Text]
content:
According to DOM2 specifications,
~ ~ ~ ~ ~ ~
Interface HTMLIFrameElement
Inline subwindows. See the IFRAME element definition in HTML 4.0.
IDL Definition
interface HTMLIFrameElement : HTMLElement {
attribute DOMString align;
attribute DOMString frameBorder;
attribute DOMString height;
attribute DOMString longDesc;
attribute DOMString marginHeight;
attribute DOMString marginWidth;
attribute DOMString name;
attribute DOMString scrolling;
attribute DOMString src;
attribute DOMString width;
// Introduced in DOM Level 2:
readonly attribute Document contentDocument;
};
So contentDocument is a valid DOM2 attribute
(therefor, Konq should return attribute of Document in this testcase)
As soon as you got contentDocument, you can parse it and process some of its
elements in the way you want.
NOTE that this fragment gives appx. the same results both in Mozilla/NS6 and
Konq, so we can't say that "KHTML introduced security hole"
If there is a security hole inside - than it was introduced by W3C/DOM2
group..
I think that easy and reasonable fix for this is to have (optional)
possibility to "Turn Off DOM2::contentDocument exposure" in Web Browsing
settings.
It's ok for Intranet to have it enabled (XML processing, etc.) but for
Internet it should be, probably, disabled.
It would be nice to hear comments both from KMail and KHTML developers.
|
| Although external references are disabled, this "works" in a HTML mail:
|
| <html><head></head><body>
| <iframe width="200" height="300" src="/etc/passwd"></iframe>
| </body></html>
|
| (see the attachment to this mail for an example)
|
| I'm not sure if there are any possible security/privacy problems with
| this, and whether KHTML or KMail is to blame here. Therefore crossposting.
--
Vadim Plessky
http://kde2.newmail.ru (English)
33 Window Decorations and 6 Widget Styles for KDE
http://kde2.newmail.ru/kde_themes.html
KDE mini-Themes
http://kde2.newmail.ru/themes/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic