[VIM] Is the Firefox PAC eval issue really a vulnerability?

[Sullo]

I'll preface with the fact that I know very little about proxies.


Steven M. Christey wrote:

>  https://bugzilla.mozilla.org/show_bug.cgi?id=302100
>
>  
>

>Based on my very minimal understanding of browsers, it seems that most
>PAC scripts would come from a trusted source, e.g. an organization's
>IT department, and this trust is essential for proper operation of the
>browser (how else would a client know which proxies to use?)  
>

I'd argue that since it relies on external data (the .pac file
contents--coming from a remote source), then it should be able to safely
handle *anything* a .pac file could throw at it.

>In
>addition, it seems that the PAC format is in Javascript, thus the
>provider of the PAC can already do various DoS attacks and probably
>other things since I'd imagine the PAC is processed with some sort of
>privileges.  So it seems like the eval DoS isn't giving the PAC
>provider anything that they don't already have, and security
>boundaries aren't crossed, and it's not a security issue.
>  
>

While they may govern what I can and can't surf from work, my proxy
admins have absolutely no access to my system.

I just did some quick reading and couldn't confirm my idea that a .pac
file could be auto-downloaded by a browser. However, if that's the case,
any proxy in an anonymous proxy list could potentially exploit this. 
Did I just make that up?

Either way, IMHO the pac parsing routines should happily ignore anything
that is not exactly what they are looking for, whether it was accidental
or someone replaced proxy.pac with a copy of Doom.

-Sullo


-- 

http://www.cirt.net/      |     http://www.osvdb.org/